23542300x8000000000000000150621294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:48.768{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DBD3203B79F78526A2D4A3FEA0F545,SHA256=18A1DD34AFA4817AD6CFF0F37F82A4CD3DA4A038BAC16F34CCEFF2E5DF8D70F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:48.377{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4199F744C399A5E4FD73192BC3C829EE,SHA256=5809A894A7E3B6BAC4C947CE0DC1E79EDF1BA73101ADD138BA70C9499E38D629,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:40.753{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52543-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150621295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:49.783{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63ADB2487ECD010B05F003CCD6D331CB,SHA256=1A5B1D30E4A4B907DEF3F1B76A019CD79A5517AE2F1E636808C81662DFB31724,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:49.392{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A15CA7142A8FF3DCDC58C832B79CA9F,SHA256=270FF627B5B26847D3AADB183E619DCE4A5D7974E2C4818A5481B66B472C6DBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:50.408{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C713088BDA9AB0B0C8CB1B4C56CA8B,SHA256=8BB9F789B2A4DC72E83DD07F10CE125A1776208669EBB133E3669CBBA3285F39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:50.799{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ECAB4A210B2CF745C4995C355F7660,SHA256=36C8EBFDA2B756931972F3ECF2B4B7F4D45C86D8AEB085A1660DA91475F66D10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:50.658{3BF36828-4B49-61E8-2D00-00000000CF01}3056NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:51.815{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC613AE4DE36F457AEC411504C0F2A66,SHA256=09910D3F80AFFE9F31746011D9AD03D5F0F0725D7C835AC649166B36E243E93A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:33.801{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52398-false10.0.1.12-8000- 23542300x800000000000000071065823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:51.408{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413609C8A34F57869BA69B66251A56B0,SHA256=A25CCFFC51E92E86AB6CB9A7A56139C167C39341CD2CCF38E499E252C348C861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:51.127{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB53F8E13D59B39D7CAE1B83D3FBA6BA,SHA256=9543FF7C748726ECCA7FA309975802BB7E0FA87C31030C6051E089034FC3C9EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:51.127{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61E80B973DE51E6B08EA7408293BFC5A,SHA256=8C49B7E26D017F39B0E4D38D5FD7B0EA173F00532A5AC70309F2968D479F8753,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:34.317{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52399-false10.0.1.12-8089- 23542300x8000000000000000150621302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:52.846{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F776FE55661D12988147128308FD35A8,SHA256=0C7D196199AF1385FC59B192EE9C432653FEA93EB3678EB4FA209A9FAEFBCCCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:52.424{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E14AC2742081F715EAC637B7899E51,SHA256=146E250C27FE8A17BB928B76128BFF99183F6E809751AB1016AEC84004F50A62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:53.877{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E1AC1837DDC6715763219C36705C44,SHA256=1B28357DBE77958B34917DCFC382D5FEBE1C59262DFF754687A8E72BB2ED5254,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:45.893{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52544-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071065825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:53.439{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DD67C85A78B8095F33C47F27BE4113,SHA256=0EBC12A2CA04DFA5C4A2F365D8F734FAF46D4543B7C2D4B3D2A1BF3E17B14A17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:54.924{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD1454719E70F4D6B5C17FE2B6C92F1,SHA256=DEC23DD610ED59534921147AC42E2586CD56AA75361BB03EE32B3183659D3EF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:54.486{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3695ACA9C9151A803B5621B3C94ABFD6,SHA256=47952A90C5CF1FB5CB4872D973517B3B9B92CFA257F522E14FF3C125875754EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:55.596{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02306E22CF22EA042CFEC2A47CA34C7,SHA256=3E1A0B967A9A95192260ED09A2F6C76DE12CC9CC2739351831BA2C35078DC4E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:55.955{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B29DECAED833429036D8E7983386249,SHA256=0D9BA5D668D99A834280D1265D351B36345081DEE4E62748BF9A6E168F4EE04C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:55.064{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A40134470FDB8E4ED9D647A4E5B66F59,SHA256=8CD5279BD0C2397517C6A18F2D39E74B8DE519E2736B66069CB52E7ED5A7DED4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:56.971{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701BF8BA514DE481445ADA4C56216FD5,SHA256=99405673A5A32E082B283812B3525466B8DC17C2E852D826FCCCC9324361F9B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:56.642{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B730A3DAB7FB7D9185604E067F5D2B7,SHA256=2240583B64CE7574458838DFDB4CC7462A38B7323C2936C1A5F1E6DC13CD1DBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:57.674{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD86A8A22E28277D5BB264F879F24AE3,SHA256=5450E283F361A898FD85FD09483B9353F85F11AED4D297ABC8F497F857B72C4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:57.252{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E73EEA4315AAE7DC9713DAC3BA0FCF9,SHA256=0EB28009D97499572C60F09A50D62B82376A39F198F84479ABD3792DEEB98F18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:57.252{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB53F8E13D59B39D7CAE1B83D3FBA6BA,SHA256=9543FF7C748726ECCA7FA309975802BB7E0FA87C31030C6051E089034FC3C9EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:58.705{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DB7AB491A840C2272FADCE5A5515B1,SHA256=7487B858D286EC34CF92E49B2AEF1C540A28B2040EF8D6A7918962D1313D20D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:39.785{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52400-false10.0.1.12-8000- 23542300x8000000000000000150621310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:58.002{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EEBEFF27F3A2CF406BEA991970B52B,SHA256=7BA96B9B5ED1A661D10D41DC5024A85C95523C4F80B45399D9D820771288E4CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:50.924{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52545-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071065834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:59.721{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F68D104223F8C4160A765218BA8800,SHA256=89FC0AE6F2DCD24C6FAEE0F40AD16A8CE6767250B6280D0D1B5A72C034958F4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:59.018{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5466A318AF7A14488ECDC66D4B5F4CB9,SHA256=031641BBAD3F83BFA4F621F1C210C81586EB3D0DD9798C0A64485F9F40FA8C27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:00.892{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57223FA36FC2D00A5A178463336E668A,SHA256=B9DEFC9B26B1B2F94A43116D6A3A7DE7801ED79258538A50100546D1D511DADA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:00.049{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC89CDF43B00AEB4215D4522F0F95B28,SHA256=05DC8B8E66282965F9E9ACBC6930E46160CA3C9AD763AF0A7F068BFCB3A342BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:01.955{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2A228A7EF2EF0E89FCAEDE78261B83,SHA256=6890B07EDFD5C69443761499D3CEFDD1F8679EB5BAEC4122C70C620F4A41AB37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:01.096{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8AEDF0B354715BB08A8029ADFA96DF,SHA256=D2ADE98047D5424324ABDBA03AE88092E4DF35044B37E7EFDA0C2C3FE84423E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:02.972{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB480A9E0BE10F1EB7EC91054B35D61,SHA256=48FA35CC9A84022491252053C0CCEF3DDE478A0B2E27101BCCC64D7DBEF90030,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:02.330{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF99F3FE713F290BA41AE37A54DBC77E,SHA256=3D5D1A2653FF6F43B9EA949A95478B314E371153CE58A08635E2F76CCBF26B31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:02.330{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E73EEA4315AAE7DC9713DAC3BA0FCF9,SHA256=0EB28009D97499572C60F09A50D62B82376A39F198F84479ABD3792DEEB98F18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:02.111{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E1DB18367529EF87EFCD14978C95CD,SHA256=DA72A2AE99FAB0EBC1E1668CE8130F0BD0F78B3B331396BA6412D98103D05829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:03.975{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E983EDF13C2C2F98A6A5254BD752E1,SHA256=8B899A2F23D0BFCEFFBA8AD0D7CF48B3FEBC9ECC596B394B6E2B70A3503BC113,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150621367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.924{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150621366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.924{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150621365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.924{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150621364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.924{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150621363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.924{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150621362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.924{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150621361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150621360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150621359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150621358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150621357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150621356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150621355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150621354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150621352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150621351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150621350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150621349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150621348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150621347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.908{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150621346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150621345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150621344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150621343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150621342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150621341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150621340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150621339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150621338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150621337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150621336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150621335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150621334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150621333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150621332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150621331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150621329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150621328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150621326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150621321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.893{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150621320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.878{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000150621319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:44.915{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52401-false10.0.1.12-8000- 23542300x8000000000000000150621318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:03.143{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8B7D1C787F8EC5B34A917701CC30C3,SHA256=D100BD8F36EC674BF39CFE8C55D05B7393D62B265D64B94EE622514055FED270,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:56:56.752{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52546-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071065840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:04.987{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A7E277F1A9347C1E881E1B4665B041,SHA256=6E645A606D4942C2A0BEB3E4AF6110AA8A69257A50DC166372E088B2AE890C91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.924{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF99F3FE713F290BA41AE37A54DBC77E,SHA256=3D5D1A2653FF6F43B9EA949A95478B314E371153CE58A08635E2F76CCBF26B31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150621422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.799{3BF36828-9EA0-61F9-190A-02000000CF01}36482784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.799{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150621420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.799{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150621419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.596{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150621418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.596{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150621417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.596{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150621416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.596{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150621415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.596{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150621414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.596{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150621413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.596{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150621412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.596{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150621411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.596{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150621410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150621409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150621408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150621407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150621406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150621405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150621404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150621403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150621402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150621401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150621400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150621399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150621398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150621397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150621396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150621395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150621394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150621393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150621392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150621391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150621390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150621389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150621388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150621387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150621386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150621385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150621383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150621381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150621380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150621378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150621373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.580{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150621372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.565{3BF36828-9EA0-61F9-190A-02000000CF01}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150621371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.221{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBCD5953B56156541D2AD36ACECB76A,SHA256=64062A77442DD7735103259FB84970B021F24FADE6B06DF311DFC667DA9D0A76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150621370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.098{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150621369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.098{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150621368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:04.098{3BF36828-9E9F-61F9-180A-02000000CF01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150621424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:05.346{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDE4E416F3BD60381FCB4EB2EB1016B,SHA256=233C4D2268EAE070E439315E16F14FA4CE529A6FA7B0F9F070A50DCAE07AF57C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.377{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3661B26A45187C530151E05331905FC1,SHA256=FBDEDEE9BD6A7C8BCECC7312B079DBBB05C29BC8F4329FEA67B5244A80A65179,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:06.034{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58373AE50C57284DB50A878BC812FA59,SHA256=E7AE65E15748CBCD5E7AB9F86EA28EED3CEE610E415E48BFE24A6120CA938BA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:07.393{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692A349AC0EB49552587B2E43D5C16C3,SHA256=6AC8959864427AEB8F2686E17C281EE5F9BBD903681D0902556A0D6AD2001796,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:07.253{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08B7E5C3C1A71B6D45ED22A01DD89AE,SHA256=90F0AE920E159811CA0E8D4A2BA499CF02E821D8626E45B517850981374D2EDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:08.408{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A011DFC6877123EEF4AD60FA6D763C4F,SHA256=B2D0706ACF39BB112B79BBB16AC93318665960841FB43C5477D40E72AB180554,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:08.284{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1875789B78BB1730978852434D90F94,SHA256=F86B56A3F37590404E352E724F6A78584D5734B1473E70797B99AD677EAA8481,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:08.346{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4858098CD25E0CACF0C363E6DE2B7D3F,SHA256=8CDE225402B010AF319D0A58845D2CF5DF5D37DDDEE9DC96CCD4F0F850F82EDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150621427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:08.111{3BF36828-4B37-61E8-0B00-00000000CF01}6324892C:\Windows\system32\lsass.exe{3BF36828-4B33-61E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000071065845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:02.785{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52547-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071065844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:09.394{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E4E3EE04D2D8DD594A95C62B376FB3,SHA256=B100C9FF249C222DFE11D66C7E313334252BC7EF3F7660AB826AC5704F7C28F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150621489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.940{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150621488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.940{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150621487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.940{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150621486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.940{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150621485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.940{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150621484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.940{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150621483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.940{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150621482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.940{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150621481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150621480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150621479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150621478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150621477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150621476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150621475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150621474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150621473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150621472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150621471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150621470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150621469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150621468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150621467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150621466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150621465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150621464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150621463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150621462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150621460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150621459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150621458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150621457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150621456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150621455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150621454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150621453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150621452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150621451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150621450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150621449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150621447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150621446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150621444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150621439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.924{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150621438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.909{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150621437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:09.424{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807FF11BA284DCC80015B2C5FCE937AA,SHA256=C48832F3E741E44956A68751C6DDDF462AB56F5C6947587495B3FBBEE302F899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:51.790{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52405-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000150621435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:51.790{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52405-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000150621434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:51.689{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local52404-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000150621433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:51.689{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52404-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000150621432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:51.679{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52403-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150621431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:51.679{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52403-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150621430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:50.879{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52402-false10.0.1.12-8000- 10341000x800000000000000071065862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.894{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EA6-61F9-B609-02000000CE01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.894{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.894{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.894{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.894{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.894{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-9EA6-61F9-B609-02000000CE01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071065856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.894{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EA6-61F9-B609-02000000CE01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071065855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.879{B81B27B7-9EA6-61F9-B609-02000000CE01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071065854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.503{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F7E310C683F182358428AC3AC0F01D,SHA256=6339AA8006BB4DECCC54BD286FEE83FD6A83C5093DAD9CFFB5BF4ADDF21A6445,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.955{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B718B08DB51D22BBB550CA1F5467936D,SHA256=51F5A3A45C48FB536797B49B4DF19D153CCD10ACE33185782CBA709146FDE9B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.893{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E836CD033611994D67CDE327A157AA76,SHA256=105F108F753510DEA758A32911B4FE321E8F6628EC277DE643B328A3CD71DFA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150621572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.861{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.721{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150621544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.721{3BF36828-9EA6-61F9-1B0A-02000000CF01}52764456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.705{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150621542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.705{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150621541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.580{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150621540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.580{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150621539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150621538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150621537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150621536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150621535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150621534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150621533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150621532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150621531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150621530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150621529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150621528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150621527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150621526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150621525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150621524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150621523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150621521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150621520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150621519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150621518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150621517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.565{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150621516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150621515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150621514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150621513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150621512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150621511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150621510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150621509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150621508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150621507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150621506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150621505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150621503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150621502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150621500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150621495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.549{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150621494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.537{3BF36828-9EA6-61F9-1B0A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150621493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.533{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08A8D95B43EB251851D28B511DEB36C,SHA256=B44901DF97FDE5A812237868EE67B6182582465D8E99F51985BFD392339E1F22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071065853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.378{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EA6-61F9-B509-02000000CE01}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.378{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9EA6-61F9-B509-02000000CE01}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071065851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.378{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.378{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.378{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.378{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.378{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EA6-61F9-B509-02000000CE01}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071065846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:10.363{B81B27B7-9EA6-61F9-B509-02000000CE01}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150621492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.111{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150621491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.111{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150621490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:10.111{3BF36828-9EA5-61F9-1A0A-02000000CF01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150621674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.940{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150621673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.940{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150621672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.940{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150621671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.940{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150621670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.940{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150621669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.940{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150621668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.940{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150621667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.940{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150621666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.940{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150621665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.940{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150621664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.940{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150621663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.940{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150621662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150621661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150621660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150621658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150621657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150621656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150621655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150621654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150621653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150621652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150621651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150621650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150621649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150621648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150621647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150621646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150621645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150621644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150621643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150621642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150621641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150621640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150621639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150621637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150621636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150621634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150621633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.924{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150621628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.909{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150621627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.565{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945A40A489013C6A2CD5BED1F754C8B6,SHA256=3F19171DBBDCCC02068CE1D797DCF0C523850E3F8DC5E42C5A365E6FDD1B6059,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071065874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:11.722{B81B27B7-9EA7-61F9-B709-02000000CE01}31001212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071065873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:11.628{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A993EAD5C4A85B1304F5E55660901EE5,SHA256=BA3317DC7F61AA2C3D30716E9A093073E97866BE28C8DE734D241FB2EA7E6B63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150621626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.424{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150621625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.424{3BF36828-9EA7-61F9-1C0A-02000000CF01}10644604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.424{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150621623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.424{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150621622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.346{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88063D66659DE2A1C33607C66E11F9E1,SHA256=9D8AE59040FB5AFF2FA7C376B8F3252A8EB6CBAC771F6F2954FBEB06304302CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150621621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.268{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150621620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.268{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150621619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.268{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150621618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.268{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150621617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150621616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150621615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150621614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150621613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150621612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150621611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150621610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150621609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150621608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150621607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000071065872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:11.535{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EA7-61F9-B709-02000000CE01}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:11.519{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:11.519{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:11.519{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:11.519{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:11.519{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9EA7-61F9-B709-02000000CE01}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071065866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:11.519{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EA7-61F9-B709-02000000CE01}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071065865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:11.504{B81B27B7-9EA7-61F9-B709-02000000CE01}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071065864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:11.425{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45AE0761AA2E9849CDD1C616DB76D5D5,SHA256=F9097CD71CB120269FD9A814FF83FE94FB6D75CA6E1B368DAEFD190EA17B9B4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:11.425{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6190EF8D3CFF785992D5B38985B34F62,SHA256=77EBC1C5318E8D9C8BCCEF7B0CD60FCAF839E2B89EABDA44BBEC90A944EC3D63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150621606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150621605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150621604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150621603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150621601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150621600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150621599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150621598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150621597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150621596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150621595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150621594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150621593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150621592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150621591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150621590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150621589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150621588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.252{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150621587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.236{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150621586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.236{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.236{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150621584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.236{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150621583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.236{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.236{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150621581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.236{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.236{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.236{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.236{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.236{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150621576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.236{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150621575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:11.222{3BF36828-9EA7-61F9-1C0A-02000000CF01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150621680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:12.846{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5844A30712D6BE7F4086CE8BC21AD3D2,SHA256=7551C3EBF3FA94512D9ECB364A86B0E922A2A72057C07E4EC29B6301E9BF096D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:12.644{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB58110D26004858B78F459A4AFFC26D,SHA256=10BC752C8C06C8D5C9FF92427E439ED669378CEBFC261A89745C182F43D2D598,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:12.424{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7E31486D2C580CAF812EDEC9035129F,SHA256=DC0576E65AFF0BC7E6B523945640837B9C8847C6738F3C21A8701D809B3B047F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150621678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:12.096{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150621677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:12.096{3BF36828-9EA7-61F9-1D0A-02000000CF01}16082700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:12.096{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150621675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:12.096{3BF36828-9EA7-61F9-1D0A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071065875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:12.519{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45AE0761AA2E9849CDD1C616DB76D5D5,SHA256=F9097CD71CB120269FD9A814FF83FE94FB6D75CA6E1B368DAEFD190EA17B9B4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:13.861{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84486C829299180FAFB631A958E0E629,SHA256=6C5F4991BF3D39A7A0DB7F316FE93D89B1128065A455C14C056DE5430AB47153,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:13.645{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762A0CAFFD3974C47496579AC4846D04,SHA256=DA381E104EAED4676F79B713AED19B9C6367E27AFB2A4DCE301950C5086C272C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:14.877{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE1BED4DB08025EDA1857C68E835B31,SHA256=A837B91205BD4345DD361362F471F9F0EF16EE3891380B917F6473CC7820B298,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:07.785{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52548-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071065878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:14.659{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDADAA32B08C3B4B1D20C2927FF2FF0C,SHA256=9866E42CEBE42FDE1F26FBC4360FD8334E3C4E3CD0DB179517D64CE1CB9EDC7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:56:56.754{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52406-false10.0.1.12-8000- 23542300x8000000000000000150621682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:14.111{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9FE2FCBF731C89BE867CF5309156F92,SHA256=51B8D81907F0183B178D1E9875F0E02FA25152EDE4A0AF1C96196FA7707FA0E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:15.908{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924BE1F444F22170642D88400E5D1F39,SHA256=FA1F9576576D842281CB3FAD5FCF628181F72C4F24793F74CA63056507C94711,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:15.675{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C0CFF8415F40E8C775EE6D58EB1BD9,SHA256=5259C2D9F2EA4EB399FA74B9C1AD060014BDFE5BCA232D1472B08FB1EE7B4551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:16.940{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20BF490A70803AEE0F494CF015026B4,SHA256=E6DAB760E60EAAEEFD00D7862FDDC4E6562C27DED9B3A52FA607F0256D34D510,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:16.690{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B670047E6800F686F3EDB0C2F5C8D1DE,SHA256=0B759E98897BB4FA18225AF9EF131D243912C4CF203B2CBE988104AF68691034,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:17.955{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913E7397AF12F00600F5745312B98805,SHA256=7D981FB6EA2D0D1961F1D8696805889DF2F71E0BE461930D0011BE8BEB356892,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:17.691{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8E8765C8A3431C4ABC5BAE37716F31,SHA256=3D514EB687B303D8ABA17F5F53529089049F47F3647CBF11105707B55894E4FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:18.971{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D402DEDFD070B3AA126079527B64FF6,SHA256=C0CDAB4ED97E4BDB5050B5C6697897E281C97778B6A59D40A6402AEDACA97E4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:18.691{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51D1DBB8840D4A48D93281677EFE448,SHA256=8E5A82EE9964130699BC71415CF17CF827FF0536DD55CC97C6C4FA10D8CD6647,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:19.691{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396272C8AF55D24EC3E912C45913605C,SHA256=9A8541CE685B3FDF17E8D25B6A4E82356EAA151FDB01B4E85B074208B661B494,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:01.832{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52407-false10.0.1.12-8000- 23542300x8000000000000000150621742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.627{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E5D43C5AFBCE912A098F76270CE1987C,SHA256=ECCA46973ECFFECE8AB83A37E82DC080A123C3A9A677CE2082BB09FA304147DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150621741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.549{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150621740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.549{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150621739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.549{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150621738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.377{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150621737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.377{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150621736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.377{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150621735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150621734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150621733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150621732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150621731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150621730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150621729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150621728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150621727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150621726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150621725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150621724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150621723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150621722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150621721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150621720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150621719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150621718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150621717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.361{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150621716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150621715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150621714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150621713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150621712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150621711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150621710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150621709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150621708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150621707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150621706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150621705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150621704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150621702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150621700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150621699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150621697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150621692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.346{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150621691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.331{3BF36828-9EAF-61F9-1E0A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150621690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.158{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66BC6BE6548F5D760F408FFC7B74E965,SHA256=2E83936ED29912F53937F35EA72F142F9D1324A665EAEC395CF1BB6EE584F439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:19.158{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E229F880DCCC827F72D13BDF31F0622D,SHA256=D7E90F7B67A2458FDE72424294E6E90AC20181C6906DAD25316B963CC6498507,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:13.800{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52549-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071065885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:20.706{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FE230396FD6C7FCFEE2340CC61D5AE,SHA256=7921DA027E18F800141B88E8E82A6C9235D9CFD7073713824F2979434395D7AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:20.471{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82136949351A3F67551A6B9A617C7C72,SHA256=4A29DAF0D646E189BF59911C13A4C073A333D5F1311F4D1CEF395C8974864140,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:20.471{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66BC6BE6548F5D760F408FFC7B74E965,SHA256=2E83936ED29912F53937F35EA72F142F9D1324A665EAEC395CF1BB6EE584F439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071065895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:21.956{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EB1-61F9-B809-02000000CE01}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:21.956{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:21.956{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:21.956{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:21.956{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:21.956{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-9EB1-61F9-B809-02000000CE01}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071065889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:21.956{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EB1-61F9-B809-02000000CE01}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071065888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:21.941{B81B27B7-9EB1-61F9-B809-02000000CE01}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071065887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:21.722{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CFBA9296BB1CA3ECFC5E859ECDBEAB,SHA256=B40D69F8054EC80666973DE90F91E9EE399618417AAA2B45CECF636DD3C22F7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:21.596{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3508702EEACCA2124BD8802783DCCB,SHA256=D3B933E838512E03CA704002235A9D985C291060D93DDCF107147CB57241040E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071065906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:22.847{B81B27B7-9EB2-61F9-B909-02000000CE01}4792756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071065905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:22.737{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC7904883432FD978F09CEF25087E27,SHA256=1F747CFFFAED93C203C182A38DA917C438917DA20E1EEEF7575795325B757C0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:22.627{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66603F6DF94FA20E26C4A83FEB0E2973,SHA256=17733D0234AD8570E004BC97B9EFF691B25192B448538F44359851FE63226DD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071065904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:22.644{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EB2-61F9-B909-02000000CE01}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:22.644{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:22.644{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:22.644{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:22.644{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:22.644{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-9EB2-61F9-B909-02000000CE01}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071065898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:22.644{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EB2-61F9-B909-02000000CE01}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071065897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:22.629{B81B27B7-9EB2-61F9-B909-02000000CE01}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071065896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:22.144{B81B27B7-9EB1-61F9-B809-02000000CE01}46323860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.784{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EB3-61F9-BB09-02000000CE01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.784{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.784{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.784{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.784{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.784{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-9EB3-61F9-BB09-02000000CE01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071065919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.784{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EB3-61F9-BB09-02000000CE01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071065918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.770{B81B27B7-9EB3-61F9-BB09-02000000CE01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071065917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.737{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13A269B26634DE470E17CFBBBE48B28,SHA256=E8DF42319E6DEE954CE54FDC5A0CEE7A2DE6C17B4E048D17F987C37F0670106B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:23.986{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03C08DE62884C3228269759BF2560660,SHA256=BE5629C69FB2CDD9E62B321E70DF77662D3D44E4136753147CB8508E97FBBF4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.597{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local62225- 354300x8000000000000000150621783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.597{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local63309- 354300x8000000000000000150621782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.595{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local56572- 354300x8000000000000000150621781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.594{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local50062- 354300x8000000000000000150621780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.593{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local57602- 354300x8000000000000000150621779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.592{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58899- 354300x8000000000000000150621778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.591{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local62849- 354300x8000000000000000150621777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.590{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local63783- 354300x8000000000000000150621776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.588{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local49785- 354300x8000000000000000150621775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.586{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local63133- 354300x8000000000000000150621774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.586{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58029- 354300x8000000000000000150621773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.585{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local63277- 354300x8000000000000000150621772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.582{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59945- 354300x8000000000000000150621771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.581{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local58858- 354300x8000000000000000150621770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.580{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local59856- 354300x8000000000000000150621769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.578{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local56002- 354300x8000000000000000150621768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.576{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local57823- 354300x8000000000000000150621767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.576{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58281- 354300x8000000000000000150621766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.575{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local56743- 354300x8000000000000000150621765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.574{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local53518- 354300x8000000000000000150621764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.574{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62618- 354300x8000000000000000150621763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.574{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61948- 354300x8000000000000000150621762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.573{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local50926- 354300x8000000000000000150621761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.572{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local55931- 354300x8000000000000000150621760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.571{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local50333- 354300x8000000000000000150621759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.569{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local65535- 354300x8000000000000000150621758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.569{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53518- 354300x8000000000000000150621757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.567{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local56245- 354300x8000000000000000150621756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.567{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local56245-false10.0.1.14win-dc-128.attackrange.local53domain 354300x8000000000000000150621755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.567{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local64492- 354300x8000000000000000150621754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.566{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local64492-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domain 354300x8000000000000000150621753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.554{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52409-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local49666- 354300x8000000000000000150621752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.554{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52409-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local49666- 354300x8000000000000000150621751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.553{3BF36828-4B39-61E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52408-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x8000000000000000150621750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.553{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52408-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x8000000000000000150621749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:23.627{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3DFAB16D1D895FEFE9BC9EB2F942AB,SHA256=B119D65BE6B399F0F1E33B5A3D83433D0FF5959AD5C54627E8B8664649E942FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071065916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.159{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EB3-61F9-BA09-02000000CE01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.159{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.159{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.159{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.159{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.159{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-9EB3-61F9-BA09-02000000CE01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071065910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.159{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EB3-61F9-BA09-02000000CE01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071065909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.145{B81B27B7-9EB3-61F9-BA09-02000000CE01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071065908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.128{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=203D79CB58EB2155FF31E9F97CC77F89,SHA256=2AD128E5283BD9EDBE2185904BF465896C948AABAF0899F5C21DDB3A478757E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:23.128{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB917D43D9BA1A14492A969F0EF2E9F4,SHA256=838F5B6F972336E138C92E08F8A819CCD9F7CC8A70F69CA0692DB0E11C198187,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:23.111{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CEC285329E628F048FAEB146ED9722F,SHA256=D8A8813E1F0FFF4DC1FBFEAAE69D7744D3D31D7FC3E37A3F8623982E2FFCC640,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:24.753{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D07898D867D0EF144054992FA30310,SHA256=A726A3192F1E20D49B6163F307EE1E90916B466BD1E0BD0A1F674E136ED0BA7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:24.721{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F46C3C4C87BC757105C678F145C85AC,SHA256=B71E8D2967694CC4DD50A704B0ECC374518A47555CDAA51BD26C6EC64E2794B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:24.159{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=203D79CB58EB2155FF31E9F97CC77F89,SHA256=2AD128E5283BD9EDBE2185904BF465896C948AABAF0899F5C21DDB3A478757E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071065926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:24.003{B81B27B7-9EB3-61F9-BB09-02000000CE01}4156820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071065929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:25.753{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=094946AA18C4749AC15E4FE00576E49E,SHA256=E60127A1E2479C729112798844AC49FB241D90C1B30A27F24C7ABF8C496CBC0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:25.768{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078164D7558C321E91A8C8554C1D0723,SHA256=E43100D01029A0A8F87AD28E147E60CB464A42B8AD256F410E21BFF8C839E21A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.879{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52410-false10.0.1.12-8000- 354300x8000000000000000150621797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.614{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local64191- 354300x8000000000000000150621796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.613{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local50002- 354300x8000000000000000150621795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.611{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local49785- 354300x8000000000000000150621794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.610{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61558- 354300x8000000000000000150621793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.609{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local59401- 354300x8000000000000000150621792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.605{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62748- 354300x8000000000000000150621791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.604{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local63996- 354300x8000000000000000150621790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.603{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59639- 354300x8000000000000000150621789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.600{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local49890- 354300x8000000000000000150621788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.599{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local57412- 354300x8000000000000000150621787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:06.598{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59426- 23542300x800000000000000071065931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:26.972{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98AD60DB0823000A919E134EF727DCAD,SHA256=F92208C34CF19DDA54325A1984D62F606F66E9022CB7346D21DAA8348347664B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:26.799{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5CD22FF70A4E1A81BC5F4C3A0B634A,SHA256=574374DBFD6A713DA5BCE1BA58F09F8CA036A86230E34AE3FF90411A8F39F8DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:18.863{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52550-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150621801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:27.815{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA0D4B25A3669F0D761A1413DEC59A4,SHA256=2E48426D047828751C388330864EB780547B3D3C9898D53015C96A9315640EC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:28.846{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444524A27A3ED2B51B657169E1BF4427,SHA256=F5151C6355C063A68A3799C69D543B49DBD4E7329A0115180EB72A0661C0A2F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:28.206{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8C7159A3D5F98CE0F41832C1A21C5F,SHA256=C3445AF19F39C33606D7C6888054B3F3FBF711D22CA170000D5F8925D5D0B273,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:29.877{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8984D1C4D888BDAE8AFF9A9993E5DA,SHA256=B6E560975A397063F67926698C10ED5749E5F781E4F5AF917EB1A3336CDFCAD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:29.237{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7D726D4A992BBB9092C17A1CC3161A,SHA256=6D61E430A3AD7BD74F775A5BE2844267F1F266E4F0840732CBCDFFBD48C52377,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:30.893{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D0E714E560596460A42C7971C40B36,SHA256=0C8ACDA37B14F394A5701546D86D23B0B7AF14322A75F70AEB9CEC85028A4F4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:30.300{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168A8B39F0B9B2AC500159BCAB28C905,SHA256=911EF518D9365D2ACBA4C64BABF8F82B116E3F3F30BD9DBDB55655FC201B6DEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:30.127{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF4F9E72AA92B498EBF5D8EFFF81F095,SHA256=D41CC4EE477ED0E92E27403BFFAC3EB5BABC74EDC8B170793EA60BE1329EC1FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:30.127{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB28B6670A167142C2A9EB52558B274,SHA256=A27028A90EF81BF54B9170124585561AD79EE15A53A95D983FACCD3A464BD152,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:31.908{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017305138A716F8329C23976170CE4E3,SHA256=DEA9483B5B7F95F5EA665C0DC1CA8B08C885884C37602A503FF40E4840162A8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:31.534{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3377BAD5C39554BD1CD7F98E7DF7CD,SHA256=0CC6B09B264BC0B75B78FCA297557A5F425BE9FDC7ED2CE28ADBD2A1A17EC6E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:12.785{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52411-false10.0.1.12-8000- 23542300x8000000000000000150621807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:31.252{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF4F9E72AA92B498EBF5D8EFFF81F095,SHA256=D41CC4EE477ED0E92E27403BFFAC3EB5BABC74EDC8B170793EA60BE1329EC1FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:32.924{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314155FA51BC6D8ACC7CFF0579460BB0,SHA256=8E63D2B8737575F517A45E28FC023052E729FFF416CFFC74AA91FDA5CE6126DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:32.581{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E3A7DEADE3271B0393BCB6C6D55F65,SHA256=8B0D69F4F43EADF58AC0F05F54BACCB022E8A3B0914B188AF5795E66FB1E594D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:13.895{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local52412-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150621810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:13.895{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local52412-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000071065936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:24.769{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52551-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150621813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:33.940{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67150243303C7D7DD18A8BA498943A72,SHA256=E61E61D94168D50B2A4C17CA66D8E2A9EA5CD9A786927DBD4FE775E24540B57C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:33.816{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA555A32ED25F471E3B2D17B2DF6490,SHA256=C7E8BBE8B3902C2F744027493192CCAA803E37F5B6833D1F1D5A0AF527507160,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:34.955{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7783535432450CD7CFD43973883A357C,SHA256=6C5D0E00614E218F9F96F9670F95CDF5DB951749BD9F1B8886DC6FE44A2EAB29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:34.847{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B92FC4536CDA03228160DE4C9FEF11,SHA256=B640B57DF3465E31782415EFA645117EA0D88F24E7DDDEC5AD96744B052FC67B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:35.862{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA6696869696541D93D105C7BF4982C,SHA256=EFCC57AB00B808880DB1BDA719A72A9E7F214F490AE0C2F28DEAF0E3103B3600,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:35.986{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EB88FE025D3CFBAD8BB06E53847611,SHA256=3BBBEA6518C5AA7B715D62EA6AA7AA5F3A363053085F20CA696E81673B3D371D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:29.816{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52552-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150621816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:36.065{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F58B932E0B553034CACCBC243BCC1F9E,SHA256=1EFBE450A9DD8C377385055E7514B3E27540A0E5E7E9DE8D757759F3D21ED321,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:18.707{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52413-false10.0.1.12-8000- 23542300x8000000000000000150621817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:37.002{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBF20D4722D30B770C6696D31D1F265,SHA256=DFECA9E11DEC0CA349B8897D35D3F8A8AC61644D54CCCFBDC29EFCDFA6835772,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:37.097{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCD889CF4DEE20BBB5686736B8B9AD0,SHA256=CD953BB5A69B76F696A953D78AAF02BE0F647A2FB75DA6A3214174A2FBFCBF5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:38.112{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F3AC0980705534F1C4917D832BDE09,SHA256=F95629AC369EF44DADB66F14DCD7A14CC7A07EAAE6F2EFB9C9F05246473F77F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:38.018{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D47F6A9755762F18826792C17E762A,SHA256=8CA9995AEFFC4DBF50B684E17B284FC11B902BB2B90022A32416E6ED31C47132,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:39.347{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98C0760F16214F07A0B14A238BEA513,SHA256=95E381AD0C401B26ECC9CE2F7E91F5A5DA534EB52FF78C8787C2A75638D6490C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:39.033{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647846A6AF629316B2BADE2F5123A7C9,SHA256=69D3755DDB2965B8B8872B725D9EB26CF552EB06E18E3526896BF9FD2DB842CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:40.362{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76940F6A09EC81A6FA87D40318942132,SHA256=575137C336AD18EBC4FC0D30BE42A6DE90C289793251FC1E204533735C409D29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:40.065{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709C90F8FF6D234F477974AEC8E8D541,SHA256=72AAD5A5271681C79642FF3704D9B62843BA445A5CB5D1BE37EA370A821F9418,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:34.957{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52553-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071065946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:41.597{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F553B45399E8F47CCEE807BA67726E,SHA256=7B9BF9B197B2133B0A8A5B98735557735A4F45C24307CD8FE0C1E22B7593FBA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:23.785{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52414-false10.0.1.12-8000- 23542300x8000000000000000150621824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:41.127{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8A2251F8D5D25B403CF98E34F3756EB,SHA256=43F9562A9071B80F8103B8C0864E029B6CD05BA501D4956093E5FF614AD647CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:41.127{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AF4ADC638E4F40A69DCCB54EFC8EBBC,SHA256=39D0530205DC703EAE95E4B5F583CE8E742DBA10FA867DB98467B4B89F6717F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:41.080{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E296A227F2BD39D8C484458B969596BF,SHA256=67BFA9271D8C9B6B3939A3DE4931B66B58E80C22559AE226C5B36465376FF1B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:42.597{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C9591EBD356D06698B4016F3D16E7D,SHA256=39613EA804DD26D8020668341959104BFB930064C78FEE148214792DB5D60464,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:42.096{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A167999806A7D18C0FFA25986A090362,SHA256=C8C4088336DC76867B4B6579895710BEDFEACAAD8500B34CF3A43E311CA2739D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:43.862{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:43.628{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEBE114899E873768601822582EF136,SHA256=5EF17C28293FD632474CA978ADF2D901270B115323BA9E3F5A92AF39FFFF2860,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:43.122{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A1E90133FF1375B00556A57528E85D,SHA256=098BF1F0DE7D628BF5A2E1E651B28EFC8707EC75005D598563E2232FF8CC1E6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:44.769{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CF6CF7043404279988D9E88FCB0B22,SHA256=433E54C9D25ACFC225435E78C8EDCE67C7648BF1DCAB13778CD9A4553F1570DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:44.151{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3604CCA59D7165AA53D55B8A29F567CB,SHA256=FBC69E67E1FBACC9282162752CCBF10A63371D1C2E355B32A8CB04638FA021C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:45.972{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA78D8E7FAEE0EE546A9A875A7D3952,SHA256=374FF767CDA3922FC52C761751A257F9F876B5582031E6A9042A31A05BBC8553,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:45.186{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBBD92750BFBBF74EC818B90E976AB9,SHA256=041F103D2DB29149C6DED7D6C449812246A65134F03126F4F2B736C4543BC26A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:38.550{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52554-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000071065954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:46.988{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550CE1A738B377172EB458FC6CFB3954,SHA256=79191CF4203C2A8EB6FE1730BBB7A9857536D7392F61C7551D7DDF267289627B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:46.201{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F529A717B7E7E4B0F46203B96A01CF78,SHA256=BDEAF342A54FB7BA4BD0617D731B1B55DE54117AA01150B5573F8F0ADE700740,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:29.734{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52415-false10.0.1.12-8000- 23542300x8000000000000000150621833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:47.232{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF73FBCA2FADB189FD3079415DA4314,SHA256=5DD4016F1C539A535A2CBC4A63280086A271888DD0592D49D2D322D421DDF9DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:47.107{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A31A05DEFCCB720AD30AF8304F46C6B,SHA256=2D1F107A5B1031770847E71C9D26066F50C8E8654789A2B507D8F0D90000AFC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:47.107{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8A2251F8D5D25B403CF98E34F3756EB,SHA256=43F9562A9071B80F8103B8C0864E029B6CD05BA501D4956093E5FF614AD647CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:48.264{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C412DD947ADDA49E392ABC57CF4C83,SHA256=00D42955CC01E844E613202B0FF838F8992FB5D8E688F4FEE967E8D08B3A6D08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:40.847{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52555-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071065955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:48.003{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0021A9CB1250716645320EDB9B274A,SHA256=7063273FB4B42C91412F1E07C3FE12FD6F6F5EB63E04A71C2E8C645EFD07B418,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:49.264{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64123A5D4CD0F1E093E35B8250B5A71,SHA256=EA39CE8C670BD3FF7AC6F309676D8A5EE76134ABD987F4385488BCA8A5BF9A10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:49.003{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A699D58C29662C97AA599E292538D92,SHA256=CC26891778C07E0F91C5004C22CDE56D91880B94A16B89CEE2E30177815CBE05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:50.686{3BF36828-4B49-61E8-2D00-00000000CF01}3056NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:50.326{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B984BD87FB47243CCAA4104115D449E,SHA256=09586DE05AB3360DB1A7B2AA3AAB3C30877BBAD79F279F5195637EE1DC362906,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:50.006{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F346F91A1A6DA2631474960D59E4F692,SHA256=48E813723BB382EBF80E4E86CA305C3D6E1D34CDB64D3AA35C9272824459FE52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:51.904{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A31A05DEFCCB720AD30AF8304F46C6B,SHA256=2D1F107A5B1031770847E71C9D26066F50C8E8654789A2B507D8F0D90000AFC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:51.342{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24ED98D075FFC62926D66A2159BB098,SHA256=A4F91DDE20978900CF6F0A4E24997A6F1BDE753CF75293400B9AFB74BEA07C43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:51.053{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53A1E3DBC40CF586DBAA2FA5C238D32,SHA256=8A34691AED7810B7DCE17C30AD335234FBEE1A3CFEC52C69FBFB4541C9720BDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:34.874{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52417-false10.0.1.12-8000- 354300x8000000000000000150621842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:34.343{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52416-false10.0.1.12-8089- 23542300x8000000000000000150621841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:52.373{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D679B74190B293B4936A26A3D3DD919,SHA256=E6E40D66FCE8045A683E1D314E19A4A1E633F921C923763F081FB1DC11216687,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:52.053{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D8AA6AB736FDB9C27BFF4D81B3E1FD,SHA256=2E638B41748D15CE17CC813535B7B47959A0E1CE2497DD8243CB6EEA07B19292,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:53.404{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96C753D0088CC286FD6EA3B7634C6B0,SHA256=3317632BD66AA3556C3D0A70DFE02328F51A69F3EA4BB99E739E5BBF7FF86594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:53.287{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B7038839817020B7CCDA9DF8F59901,SHA256=AC47B76F954B660F1B757597AC9E5EDD7E8D490B248034FA7C384A6DA3758AAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:45.944{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52556-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150621845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:54.435{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CD272C6A9EA08A41548B54BE086853,SHA256=95DE1D8733E8376EB56A63B6DF70D813B0E679C00D777580400A36CE089D8A1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:54.303{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201520A7A8B3EDD95126D06918128B8F,SHA256=9B6B435B58A853EA9DC23F30A42F038F47BA7A6BA9C5A532931572FDE898E1A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:55.365{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB268573936FF079F4F162095C6154BB,SHA256=04643F708FD88A6A18430F995645433D8DD887EADC0DDA115E8FC287F89E9FD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:55.451{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D103C078C8E9CC9F1779E70044E0372B,SHA256=80CCC2154EE0ED7C6242D7538CC05037438AAC747D021728388A5C78171BDB07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:55.068{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=319B26156D19309E18C13AF3D5C7BD03,SHA256=4D7EAEE3DC20513FF4CDB3E2748688438A88B24F0448FB334E80747CCC9AC7A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:56.467{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1F0BF9D173FB45984B098EAEDA8BED,SHA256=5151BFF0EF9B6CE643CFBA784630DD27676AF6B52DE17F4ABC0AF3A4BB7E4591,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:56.521{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=869A0F595E68ED7F33E76EA0402D047E,SHA256=153FFFA1F3482789FC92F22AF1299405AFCF3EC91413F2358CA0C5345EF51986,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:57.537{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A0582B4C9769C6C55B6489615D001F,SHA256=C6518A7F61E52A771388B16FF6CC60B29214C858ABBA926E2990349136630D1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:57.514{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE8995E9CB4A13BE4D0673BBF4639D8,SHA256=DDCFA15029F81088332C0130007785409096DFF19E9ECB75101499F7989CB169,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:58.553{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5A47AB7398C108FDDDC1CA9D794884,SHA256=7DCF793233E3AE2A392E8B5A39B41C0540D25071F553EE302F8C743B08F08DC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:40.780{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52418-false10.0.1.12-8000- 23542300x8000000000000000150621851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:58.529{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386654A0F8CB996583E14595A3567321,SHA256=51D7886357483F7310D238E859254E95610B3334882A49E9951053CB17DC6812,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:58.185{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AB04E7BF22B7D56844DB70DF9C02CB3,SHA256=B98DD87109B7789343317171A2EE8F34D3D945506D3177196D715B6E4D54966D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:58.185{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F38940AD0DC7AFB11545E82663A7FB4,SHA256=DB8BA9C3F86EAE49E5432195FA3A8690694CA775FD9EB94F7A73C068510C8E1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:59.771{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF11A9E77BC858F3558C753B33C38F4,SHA256=486024AB132F3F5AFB88E27833CA3DA0BB3F387D32BF6A8ADFC588D4355271FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:59.545{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC806DE5FAC5A4BDB8127E0AD148469,SHA256=5CD2E1E691235E8B4A5B2CE16F264B1597456ED73195A6717335AEBF4FCBE33F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:51.803{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52557-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071065971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:00.834{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB619DFCA56A5FA33CD3865E0EB2DC81,SHA256=232E896843340564E741E605D9371E4607C321E897B6C281F93570981290B4DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:00.560{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E733B12AAFE0684810109FFD011205,SHA256=2AEC4A5D1A0EC03115E7939CD27EE6CDE19907BE6987C8E941E5A6D8A316BC06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:01.576{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB94A5D2C4C12812D4EDA0BB5A0F3FD9,SHA256=FA07A3EECFE96481EBB0A0C508BC37307CF0D785E11465678ADCC3DBF43A7E95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:02.592{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A2A8072E6D31E2B26E120CDB3EB2D2,SHA256=939A274EC8EF6A11620DDE4FB5C22DC576E4FECDE09D44A7AB64090ED7722E8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:02.068{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8416BDA46D6F745BA31034CF761CF27,SHA256=8E29233DA7757A6382C0990EEA6913A8BF60C5539D032FFD5DEC41EFA5104B10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150621907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.904{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150621906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.904{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150621905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.904{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150621904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.904{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150621903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.904{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150621902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.904{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150621901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.904{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150621900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.904{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150621899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150621898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150621897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150621896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150621895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150621894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150621893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150621892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150621891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150621889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150621888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150621887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150621886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150621885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150621884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150621883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150621882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150621881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150621880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150621879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150621878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150621877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150621876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150621875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150621874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150621873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150621872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150621871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150621869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150621868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150621866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150621861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.889{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150621860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.874{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150621859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.592{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E060B89121E172F0339873AAE3709902,SHA256=6F00FA44A54D70BF89176D1B89CDB8FC1FF0F1955C6BDC074E906FAC0A6EFA34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:03.193{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7512C77C997DA3860C7BCFA24C230752,SHA256=55830E9D78B97F8F69E0DD9FFDEA5D9928DF2908F05C5996923BC6AB58EC929A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.264{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=065B3C86C71D0661202A6574E0D04BD2,SHA256=936D581E45435F6A8793E4C9C37932187CA8357DCB109E4DFCDD76BC7E78ADF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:03.264{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AB04E7BF22B7D56844DB70DF9C02CB3,SHA256=B98DD87109B7789343317171A2EE8F34D3D945506D3177196D715B6E4D54966D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.889{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=065B3C86C71D0661202A6574E0D04BD2,SHA256=936D581E45435F6A8793E4C9C37932187CA8357DCB109E4DFCDD76BC7E78ADF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.889{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81F6555CC056D14390EA3EC54E17B0A,SHA256=D21DB1F20923CABDCC28AB87DFB31AAE2D22F7B737F3E33CBEA8166D30196A90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.857{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D713FC92614F8BB8ED03D100E71796B1,SHA256=D6F9FC6F82608DCD9FBC41BDEB85C35E567C90A4B74BC3B5689A93C968283152,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150621961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.732{3BF36828-9EDC-61F9-200A-02000000CF01}45845752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.732{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150621959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.732{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000071065975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:57:56.912{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52558-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071065974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:04.225{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7FDDCA03766A0723FC3A3A08DDF8E9,SHA256=27E23E59CA7F36B881F1739DDEB0B38465D645819B344E99E7A385378D4F3E78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150621958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.592{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150621957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.592{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150621956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.592{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150621955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.592{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150621954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.592{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150621953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.592{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150621952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.592{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150621951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.592{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150621950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.592{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150621949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150621948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150621947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150621946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150621945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150621944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150621943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150621942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150621941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150621940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150621939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150621938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150621937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150621936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150621935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150621934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150621933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150621932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150621931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150621930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150621929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150621928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150621927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150621926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150621925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150621924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150621922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150621920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150621919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150621917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150621912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.576{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150621911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.561{3BF36828-9EDC-61F9-200A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150621910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.045{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150621909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.045{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150621908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:04.045{3BF36828-9EDB-61F9-1F0A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150621966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:05.748{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931B4C0A3D407250A071A5249596F415,SHA256=A899FA3622FF581D9616135508F519104C8FFD456457FD9F0C08CCE062CDA67F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:05.269{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF65DAFCC85B0E9EBCD0EEEE7818CDB4,SHA256=A51ABF3565A93DAE89BE3BE773B101CB98C6C7C6C3F595B122D77D004019F7C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150621965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:45.890{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52419-false10.0.1.12-8000- 23542300x8000000000000000150621967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:06.764{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BA3E8B9A701E5EB71C9EED655DED3D,SHA256=82D2BA824A34AC894540F923F766EE605116472E6D4260A6324D47B180C27F43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:06.350{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A06D9B6EE608CC78A52C5AF15E49A0C,SHA256=E65BF16BA56A0E4AD17D91BD5DB3D888E378A33A7D731E4510F564A41803F4E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:07.397{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4731ABD04DF8D429FA0756317CD3C8DF,SHA256=611EEA8FDFD883892AC6E9493B6D092B2C9A7521AFEF4902A2FDA2472891EF53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:07.842{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85BC3C6EE20E5D198611E213D03DD42B,SHA256=79F4FF71A6A1CDF6CACC39B44A1CE16FA8A34861327A8434B33CAC980FFAE421,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:08.585{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3AA1AE762FA636C7F7DAEF287DD975,SHA256=2F78FB65F7312D412D9C6B8396A95C8E14E38319D2470784C4CC4B1F574FA0E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:08.889{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071D984B0DC9405F373CC0741EFA3519,SHA256=2B148B97C23C6C03EEFF5CF8FEED2A0EFF3F75663985396BE05DF7E5F3F972DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071065980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:09.709{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13ADF8F6324A53EEBBCD16E3F2D2D68,SHA256=50AF172DDDF91ABCF688042EBCA6A5903EA92DD7770D6B91D6862B141E88449A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.935{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150622022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.935{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150622021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.935{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150622020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.935{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150622019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.935{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150622018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.935{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150622017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.935{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150622016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.935{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150622015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150622014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150622013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150622009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150622008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150622007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150622005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150622003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150622002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150622001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150621999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150621998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150621997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150621995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150621994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150621993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150621992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150621991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150621990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150621989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150621988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150621987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150621986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150621985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150621984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150621983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150621982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150621981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150621980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150621979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150621978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150621974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150621973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.920{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150621972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.905{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150621971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.904{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4D01F577472BC92109AD52AFC032E6,SHA256=790EF1DBB3C6499DFC27DBB48BF48AA690CFB142A86A3A74B3DE24BDE13DD655,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150621970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.264{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72583EDAB9008C85591193E1796D9C82,SHA256=383A010219E81B61EE97C03D7281F39F9BCC74436D80D5AE8B5F5DBE98C63672,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071065998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.913{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EE2-61F9-BD09-02000000CE01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.913{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.913{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.913{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.913{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.913{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-9EE2-61F9-BD09-02000000CE01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071065992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.913{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EE2-61F9-BD09-02000000CE01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071065991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.898{B81B27B7-9EE2-61F9-BD09-02000000CE01}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071065990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.834{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC790F1BE1BEA5B2FDFD6B1C255F41BD,SHA256=2807BE171C0B3C00EA27119D6170A97D754A14B6EC81512946F06DFF3934167B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071065989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:02.788{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52559-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071065988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.225{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EE2-61F9-BC09-02000000CE01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.225{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.225{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.225{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.225{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071065983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.225{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9EE2-61F9-BC09-02000000CE01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071065982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.225{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EE2-61F9-BC09-02000000CE01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071065981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:10.210{B81B27B7-9EE2-61F9-BC09-02000000CE01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150622079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.795{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150622078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.779{3BF36828-9EE2-61F9-220A-02000000CF01}9125860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.779{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150622076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.779{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150622075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.623{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150622074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.623{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150622073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.623{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150622072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.623{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150622071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.623{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150622070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.623{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150622069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.623{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150622068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.623{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150622067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150622066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150622061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150622059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150622057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150622056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150622054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150622053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150622052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150622051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150622049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150622048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150622047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150622046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150622045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150622044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150622043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150622041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150622040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150622039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150622034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.607{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150622028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.592{3BF36828-9EE2-61F9-220A-02000000CF01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000150622027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:51.905{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52420-false10.0.1.12-8000- 734700x8000000000000000150622026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.139{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150622025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.139{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150622024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:10.139{3BF36828-9EE1-61F9-210A-02000000CF01}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071066010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:11.897{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457A677AE3501E1981D650149AF1DBA6,SHA256=A842FDE499D9868812128045E4A242FA820A680AE81B82B3F9AF095A7A17846B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.842{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150622179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.842{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150622178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.842{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150622177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.842{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150622176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.842{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150622175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.842{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150622174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.842{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150622173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.842{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150622172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150622171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150622166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150622165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150622164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150622160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150622159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150622158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150622157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150622156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150622155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150622154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150622153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150622152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150622150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150622149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150622148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150622146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150622145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.826{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150622140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.810{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.810{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.810{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.810{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.810{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.810{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150622134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.796{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150622133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.295{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150622132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.295{3BF36828-9EE3-61F9-230A-02000000CF01}20802128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.295{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150622130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.295{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150622129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.154{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150622128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.154{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150622127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.154{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150622126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.154{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150622125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.154{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150622124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150622123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150622122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150622121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150622120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150622115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150622114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150622111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150622109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150622108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150622107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150622106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150622105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.139{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150622103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150622102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150622101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150622100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150622099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150622097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150622096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150622095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150622094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150622089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.123{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150622083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.110{3BF36828-9EE3-61F9-230A-02000000CF01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150622082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.107{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD9332BCEE6F80E9A3D0110E39281D9,SHA256=9EAA89460169E68E6EC2A2F7712FEEF3D851290C588A93FCBE052F47574F894D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.076{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D892034D64668B879830A6A5E36E20C3,SHA256=875FE5132565E37D6D29615857E0928E89BD89D1BAFC867C9371EB57987493A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:11.076{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44499C9C1E2500005169EEEA06736510,SHA256=CB5922DEEA5D41F4E30B75A629D512CEF57A8D4C3995A4E22D1D68DFBEEE9C07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:11.600{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EE3-61F9-BE09-02000000CE01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:11.600{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:11.600{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:11.600{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:11.600{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:11.600{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-9EE3-61F9-BE09-02000000CE01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:11.584{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EE3-61F9-BE09-02000000CE01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:11.585{B81B27B7-9EE3-61F9-BE09-02000000CE01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:11.272{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49F07AAF9362A7C9AD9CF1D3D49B3905,SHA256=1B5B3B5D1A2EC683D567FF7D13D9B91A2F90A742343DD331E536517FF0D0F782,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:11.272{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=278F04C181F84BFB24D2F43759C45E7A,SHA256=1444E416ED9F2684C924C30683593F8DB2EFC3E4361F7305F3629CABD53D5644,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071065999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:11.131{B81B27B7-9EE2-61F9-BD09-02000000CE01}45124452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150622187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:12.326{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64550ABECA7C6F38AFD618C9EDB9C111,SHA256=A9EF12F58FFC0819B7F8489B3E08541897D0190718CE55E3DB5218EE7EEB0C6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:12.295{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5D2161E79E34DB8819AB47C3DD493D2,SHA256=855EB3AFFE568145A7F1E49F68402433447FC0CAB0EEEC9FA52ABD0524E6CB81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:12.295{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57347B9AD8E82F2D7367360FC583AD44,SHA256=61BFEA02E2741F8A1878C2EB0B2D331AC163BA1A017A21BFA7D077F7A4043DC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:12.709{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49F07AAF9362A7C9AD9CF1D3D49B3905,SHA256=1B5B3B5D1A2EC683D567FF7D13D9B91A2F90A742343DD331E536517FF0D0F782,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:12.014{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150622183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:12.014{3BF36828-9EE3-61F9-240A-02000000CF01}278496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:12.014{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150622181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:12.014{3BF36828-9EE3-61F9-240A-02000000CF01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071066012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:13.131{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C280C77B5979AC58DAE529E60A794391,SHA256=A0CBE2133016CACA195111DEB8066B773A450A766D300FD63D49188B1ED3D1D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:13.310{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB31A491CE8CDF86B68BB356077351E,SHA256=EF9FD372EEADE394BAEFF75BC87E246BD58267B0677D04E81473B59E08DBACA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:14.326{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A55726A233187097EC3383B213E006,SHA256=6C05FE841830DCD6285302C79984DB484985F4FFA1D41D80227D7B32B35EB63B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:07.944{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52560-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:14.319{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BABDF3468A19C1B5C8987A9B0183BBAB,SHA256=49034D3D4396C78EBA6D83DD2C4A241475C6D8986E67B121629CA14964EC7382,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:15.334{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748995FF9CB2D6E8F27B8F5A42C46888,SHA256=DD0F87A195E10087448D2B510E32D382753F1330B0D9FE5E0316B6AAD2A7F669,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:15.373{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD0EEBCD85BD6C3A8A65944892B3121,SHA256=92D464EAEFFEC8A4489B3C04B590A92A7CB7229A5414F52F06ECFE661EC56DA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:15.139{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3F07A5ECB4AC11C45A660FF307C4144,SHA256=DD44ABCDFF86F838E9848EADEDE4D8F01C9A12FCFD8DD81317CBB80BE0183AA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:16.334{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=445E5C1E694A6FDAC337B1C7AE112097,SHA256=9D6FD738D5D0571A68BC7FF0F4C96EB3669DD98A3F54B09497D920925D0B4720,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:57:57.765{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52421-false10.0.1.12-8000- 23542300x8000000000000000150622192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:16.374{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B719FE75E0B52877D3C323EDFF59F7,SHA256=DF8DA3E2A739288B16950CC979CBAED59CC1E6FEF3A8523E2B019769CCF0AD35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:17.350{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612FC738B42EDA2DD08D917D3179D522,SHA256=1D4AA5D23EDD22FAA494AFBF03599DAED1D300380A0C0D8DB139718663C0E96D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:17.390{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35AD5A1D771361471A46EC0DC9A0B460,SHA256=C8117C1A638DCE232CAE3A8759DA7BFBADFD1AAE8E74DE5FC98A54925B97093A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:18.366{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF61DB9F9BE5ED161B2368AE78A7A0A,SHA256=6520AC08F188260C01DF01299B8F4EA900EAD8446B4014089D79EDC72D9803A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:18.405{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B624B372E5973FC3F88F712D3E63D1,SHA256=60276229AD8C9A478D4061AE07C23A0BAFE2A1CE31AF58EE0B2F2FD009F3DCC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:19.381{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67083762973DD0845F1C0757D18C87B4,SHA256=7A99F06E4FD651CB5A4EB5E92292AE6C8BC21916FAE97CF2AEEA3A66C214085F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.640{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=38EE2F79FE2295291AAD18B5E596CEA8,SHA256=C52BE882A6B9385ECB5B316F3C628DD4F4ED2D6A6DA495765D27E6B507F73DD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.546{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150622246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.546{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150622245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.546{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150622244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.485{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B83A8F1851C85532B578EEF053EE86B,SHA256=DD4FBF41A8ACAAD89A4576386E3969FAB427B896D01265266C3AEFD866BCDA7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.374{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150622242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.374{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150622241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.374{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150622240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.374{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150622239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150622238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150622237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150622236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150622235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150622234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150622231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150622230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150622228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150622227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150622226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150622225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.359{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150622224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150622223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150622221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150622220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150622219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150622218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150622217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150622216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150622215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150622213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150622211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150622207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150622202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.343{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150622196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:19.328{3BF36828-9EEB-61F9-250A-02000000CF01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000071066021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:13.757{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52561-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:20.397{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5085B6937A42F6CC9C41CFD965F419,SHA256=604E3864F57822B0C4C36CA03A153E84A047D4DB216EBB73A5F651A521074AC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:02.844{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52422-false10.0.1.12-8000- 23542300x8000000000000000150622251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:20.499{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155ACFE19F7A16076E43C1DB42A478DD,SHA256=F971BBE938822610D71C0401999846C5FDB2F243E283012E5055A0CAB709FBBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:20.218{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8229FAB9446AEF3CE0D774CEA66B5322,SHA256=20E9FE982A82E7E4EFBAF0BC661A467C49B752E83EE73A79A3D2AD5B92D368F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:20.218{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D36225B74853AB7212C5231E9A474466,SHA256=DF36F039509766F178C756AAECBF9A7F9BCD4929DD699D8141FE09A0E0EB4454,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:21.975{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EED-61F9-BF09-02000000CE01}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:21.975{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:21.975{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:21.975{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:21.975{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:21.975{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-9EED-61F9-BF09-02000000CE01}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:21.975{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EED-61F9-BF09-02000000CE01}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:21.960{B81B27B7-9EED-61F9-BF09-02000000CE01}2168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:21.631{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C6842FC4E13C20664D4AB42DE6EF4D,SHA256=70EABEEF5D2846E41E6742B4A042D4B28F4A81788C778DAB94B79676DE3A0F4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:21.530{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E206E32283AB0AF5E9C40B5059ECAE,SHA256=F5690AC70964413D01209445088C11ECF5EB2843AFCAD3E90822232460E3B83C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.975{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C986C63675885348E23AEA1E66C78BE6,SHA256=2241C3DC1C2E944BAB8AFCA431E9167D519369A282F50F4D43B1985E70A21F3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.975{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91C968D7D36F43B92AA145EA62153A05,SHA256=1E37114C0B0C12DC3644B550F29CEFCDB9C8FDE1D1BF323D86072FDE699CCDDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.819{B81B27B7-9EEE-61F9-C009-02000000CE01}30924188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071066040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.678{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC09F51851B5171C2713AB46A0BE1DB,SHA256=06115EF9D1F2E5688E1C390AE7F8F7C68FA903BBA296886709784050965E3124,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:22.562{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A62ACC4D8D03CC0F12733CF4B3B4B72,SHA256=4B61E587E8D87272EF3D7F7849074DD6838A76BF602C6C9A69E9A02DAA950184,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.663{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EEE-61F9-C009-02000000CE01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.663{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.663{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.663{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.663{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.663{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9EEE-61F9-C009-02000000CE01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.663{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EEE-61F9-C009-02000000CE01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.648{B81B27B7-9EEE-61F9-C009-02000000CE01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071066031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:22.178{B81B27B7-9EED-61F9-BF09-02000000CE01}21684460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071066053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:23.710{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56E96382E89A8DAC0A12031E2067C4E,SHA256=DC2456AC5154C57AA3D12CDCD26C250ECBFD68917AEBECAA910764BBAAA4EB7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:23.609{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C83D8FEC017449BFC4151C07BF28E41,SHA256=02B96154C7904ED9B1690B46163956F5B29222F1425A9AE69AFE57437FC16509,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:23.538{B81B27B7-9EEF-61F9-C109-02000000CE01}42602660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:23.350{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EEF-61F9-C109-02000000CE01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:23.350{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:23.350{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:23.350{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:23.350{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:23.350{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9EEF-61F9-C109-02000000CE01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:23.350{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EEF-61F9-C109-02000000CE01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:23.335{B81B27B7-9EEF-61F9-C109-02000000CE01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:24.897{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD9DD8DE6608B6DB551AEAE681A7E7D,SHA256=FB94EA2BFF8B67E0303B04E843ED0FA5BE8489619FD9DF8C51FD51FFA0315754,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:24.655{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E404C513D1FF9D2557F94644408068,SHA256=3ABA1811E3711818A8776E02A14402C942FE10CA06DAB64EC6FADFE874790941,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:24.350{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C986C63675885348E23AEA1E66C78BE6,SHA256=2241C3DC1C2E944BAB8AFCA431E9167D519369A282F50F4D43B1985E70A21F3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:24.038{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9EF0-61F9-C209-02000000CE01}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:24.038{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:24.038{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:24.038{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:24.038{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:24.038{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9EF0-61F9-C209-02000000CE01}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:24.038{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9EF0-61F9-C209-02000000CE01}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:24.023{B81B27B7-9EF0-61F9-C209-02000000CE01}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:25.897{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA525CDC38D78FFAAC74C15D6BE00D3,SHA256=5AC013BD2EDE33996CE0AB4CCDA8982CFC6750FDFDD60E09BB0C9760D46AF8E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:07.860{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52423-false10.0.1.12-8000- 23542300x8000000000000000150622258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:25.671{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F354E74B46B0544FAD1A0196527F93,SHA256=A47E1FCBCF45A6D51882D75F141D4AB96EDC5A40523888421644E52EBAFEAECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:25.202{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8229FAB9446AEF3CE0D774CEA66B5322,SHA256=20E9FE982A82E7E4EFBAF0BC661A467C49B752E83EE73A79A3D2AD5B92D368F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:20.397{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52566-false10.0.1.14-88kerberos 354300x800000000000000071066075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:20.289{B81B27B7-4B3A-61E8-1600-00000000CE01}1196C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52565-false10.0.1.14-389ldap 354300x800000000000000071066074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:20.088{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52564-false10.0.1.14-49666- 354300x800000000000000071066073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:20.085{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52563-false10.0.1.14-135epmap 354300x800000000000000071066072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:19.977{B81B27B7-4B3A-61E8-1400-00000000CE01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-987.attackrange.local53612-false10.0.1.14-53domain 354300x800000000000000071066071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:19.977{B81B27B7-4B3A-61E8-1400-00000000CE01}92C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c850:983b:9ce:ffff-53612-truea00:10e:0:0:0:0:0:0-53domain 354300x800000000000000071066070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:19.977{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local51000-false10.0.1.14-389- 354300x800000000000000071066069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:19.788{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52562-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:26.913{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70899F60FA063C8E17A405B8CA1F986F,SHA256=A6DAA398FD32F89748B0061AE71F6BEA2D3128E39ED626FE702EC0A7E604AE83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:26.671{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623617EB128271C1E7A00DAA0BFB796B,SHA256=3A33E2716F22FEF72ACEF3804A4B328E30A24BBDF09CC8C1A8783295CF9A5045,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:26.819{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE7E1EDACA239FE7912B63FA49F35071,SHA256=7A8ABAA58422ECC0066625AF135678ECAD8EDF0F04CF5A1783258837AA13A136,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:26.131{B81B27B7-4B3A-61E8-1600-00000000CE01}1196NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=901780EC1F9A9A9FB58D43E2EC7C03C0,SHA256=7321F37E7D50B2672448C6F6284C83EA13189EF9E32BD5535B2204AC3CF5FD41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:26.116{B81B27B7-4B38-61E8-0B00-00000000CE01}6402404C:\Windows\system32\lsass.exe{B81B27B7-4B35-61E8-0100-00000000CE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000150622260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:26.296{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83E37C7A1B2359B0A408BD7F041A8963,SHA256=88AA1801D0DD1CC32E4D450A044CC81C26C4962179F08AA2146D520A9409B319,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:20.830{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52570-false10.0.1.14-88kerberos 354300x800000000000000071066080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:20.827{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52569-false10.0.1.14-88kerberos 354300x800000000000000071066079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:20.824{B81B27B7-4B35-61E8-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52568-false10.0.1.14-445microsoft-ds 354300x800000000000000071066078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:20.507{B81B27B7-4B3A-61E8-1600-00000000CE01}1196C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52567-false10.0.1.14-389ldap 23542300x800000000000000071066077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:27.913{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E773B01FCDD85470DEA2CEBC9CFB3737,SHA256=7C7FE222C60867B6C1CD46E15C2F77B1F55CD2905C66989CCD16448784A8A64C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:27.687{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C56583DBD4E758CDB321D26B66D0E42,SHA256=0E9F1C37D697BD5448D26AB1E5F5C1D104A486742223DC320A3C0C3DA0130186,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.476{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752567-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000150622269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.371{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15WIN-HOST-98753614- 354300x8000000000000000150622268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.366{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752566-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x8000000000000000150622267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.264{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15WIN-HOST-98753613- 354300x8000000000000000150622266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.258{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752565-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000150622265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.057{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752564-false10.0.1.14win-dc-128.attackrange.local49666- 354300x8000000000000000150622264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.054{3BF36828-4B39-61E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-98752563-false10.0.1.14win-dc-128.attackrange.local135epmap 354300x8000000000000000150622263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:08.946{3BF36828-4B49-61E8-2E00-00000000CF01}2160C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98753612- 354300x8000000000000000150622262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:08.946{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15WIN-HOST-98751000- 23542300x800000000000000071066082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:28.913{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FBEC265B2EF01FF26932E005F4B2C0,SHA256=A439F212748CA5B09B2B6A5FD1544A7065044CA63468AEB1A0FD0CDD0A4B11FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:28.702{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AACD8709901ABBE5F8DC6A4B39D5C5F,SHA256=12CF17EC819E6B67F6CE7B8317B7AB6915371E924B149A10B8CF2816BFD712AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.799{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752570-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x8000000000000000150622273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.796{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752569-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x8000000000000000150622272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:09.793{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752568-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 23542300x8000000000000000150622276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:29.718{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76410E742A5A0C9A9305F3D2C9F8A184,SHA256=9C050B3DFDF91C8B25586483F22D85DA9510C83F7C17BA71FAF585024AB58C98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:29.928{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6ABBA2FAFA4D4BCBD797CF6D77546C5,SHA256=3752D0E32B97EC6FE51C4D9272B3E0B9E36CE55135265FEE854A8B1DB7BD1E0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:30.944{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666746C16B132E286D220252D0AD9179,SHA256=A972E31C60856002135F05876BD43DC028EC4C7325C0B2E61866D520D4F852CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:30.734{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8604176D157C0BBB3F0B08B20BA7EB83,SHA256=23ABBDB42841C59872FBB91B17E4A151783AECE20B8C0A4C746BAF9463F46ACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000150622279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 20:58:30.468{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000150622278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 20:58:30.452{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x8000000000000000150622277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 20:58:30.452{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x800000000000000071066085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:31.960{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA88AD5D62A2C083C60760705D5BC62,SHA256=DAF5ACA9F47879A29DEAEDCA8639321C46E5B0FA894D38BF10E2881C056FEB72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:31.765{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0FE932C3C59C0A241A0A68D104D819,SHA256=25224F40F35D412C09DCD51C84B14B92CFF66601A20A41D8BD1DFB22784E4315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:14.143{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52427-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150622287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:14.143{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52427-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150622286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:14.126{3BF36828-4B39-61E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52426-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x8000000000000000150622285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:14.126{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52426-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x8000000000000000150622284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:13.907{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local52425-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150622283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:13.907{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local52425-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000150622282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:31.218{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAE333F78983A164E6F162E9073EA251,SHA256=B92AFD42BC26A4BFC6C1C684A68E326B5AE4714148275CFFC2A0D88DEAFD8516,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:13.781{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52424-false10.0.1.12-8000- 23542300x8000000000000000150622292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:32.796{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55B5741D9E96B2060134CEE0C508B6A,SHA256=1568A2252EAFC2412B2947F0F920369F7900E5B62E1DE75EF5DE0E96A8A626CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:24.882{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52571-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000150622291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:14.149{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52428-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150622290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:14.149{3BF36828-4B49-61E8-2700-00000000CF01}2840C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52428-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x8000000000000000150622293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:33.812{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0CB35FD7A8A84F744305ECF4B17312,SHA256=8A1264A4C1FE58BA47D69044C30CE047B267087442EF54D9DF829F96A83DD806,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:33.131{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19BE9A72D85C9A6D9C623CC07067F8E,SHA256=4E295972DF0306C5B3CE1D2C8A88A7E05B55548B1CA1338EC8A7D6DC297C08C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:34.827{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEC62BFA30DE9BCB8B1DB59107CD538,SHA256=285C9B5742CE02F273FF93D9FCB4FAA24469836F4D3E05ED5A133E5DD3903541,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:34.163{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25C296762DDAD15B41CCE40D292D95E,SHA256=0890450D719B8C57422039E540E0728F05A26A802FC551046BDF33EC7C8233D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:35.843{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E317B978DC80D351C5A5BA4AF7A3159,SHA256=ABEAE2D1C445E8724CD2A4A2C73B2B84D78D5F56A1338EE2828CA6D15FDEEF9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:35.397{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113987A28E0B52FD14421F4500581767,SHA256=61F96C8381C80595EAFC8654988BD774F016FBBAB75BFFA0F793FF3C7B2068E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:36.843{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DA37E30A017EE064027CAA81F17FBB,SHA256=9B6FBE06E7DC338BD14540865AD3D6A3D05CE25FE2E1202C868DD8BB12E36C93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:36.585{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907855C3CA0DC55C344C29FA37DF6B1E,SHA256=E4A448E413FF9ED2A415507E875498EEF01B69C906795D420E036A35DBA038AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:36.218{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=785A11060B79CB7340FF0632D732A9EE,SHA256=B00A795C8CC3314B07C25524F86E094B2506E43CA880E00A04769A43AEF813E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:36.218{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DABBA746FE80D8C1532E69F873B60E7D,SHA256=5327CF60C91B32722A9F2AC8A61A94948EC2498FB50FF9F65F27E851F2ADA361,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:37.859{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72B764A23DAEC533363AA5C752D9B31,SHA256=DE58C3E1DC7A62357604E3D8B8A65C8E3712361CC9458C8619C92277BC033389,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:37.600{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89436FAF5AB04E3C9321D28F9E478B3,SHA256=A76055CBCA8EB5278B3DB7226A31D055E30465B83E3B7112E5F7B4BB32BA28D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:18.859{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52429-false10.0.1.12-8000- 23542300x8000000000000000150622301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:38.874{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D568909724CEB34CACEA2B4B13F1B9DE,SHA256=EC2A94DCCBEFBE5C143F7D9329F737F812CF575A870C4D16AC178EC2EE475B54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-9AE0-61F1-2A19-01000000CE01}4904C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-9AE0-61F1-2A19-01000000CE01}4904C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-9AE0-61F1-2A19-01000000CE01}4904C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.803{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071066093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.600{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DEAE421F9954F26F36B604BF81A57A9,SHA256=E0E0E15F5E40EB8BF3D55C7C60D45E71D9F7AB114C844711DDE2737340243C40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:30.788{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52572-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150622302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:39.905{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F598092CE073881E44AA83FB41B4BF,SHA256=3D0F40F66BCB9A6CC2A05ECE9548601F85E61FBD2567D0FAC69CA664A0F96332,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:39.616{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255617CBD3DB41F2F3FB927DB7D820F0,SHA256=868DD515571922C33E0033F8596EEF2E8DD7B1EF0CE258AF503E7DC1C308E79B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:40.952{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B7F3A1D072BBEC66DB39C4061DC6A2,SHA256=13FECDDB204DBE35106EABDD350FB86EB7CDDF61848FEA9E4873C1B6634F4EDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:40.616{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C22BB6CD0390B60E5349838E317337F,SHA256=E610BA5851F2B22AE3F3C1CFABEF71E0C28AF3BD4153817EC1F633939F26DC3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:41.631{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D611B579E0AE8E9CBF934A2CCC5C592B,SHA256=0C24F3FEBB4B287785B6B3FD0A24F446D9A2D243BF8C29FBF141B2D0AF71DC65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:23.922{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52430-false10.0.1.12-8000- 23542300x8000000000000000150622305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:41.265{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B3D003876900B2133CCCD7C86443C2B,SHA256=92E304FC7EAAAE25BAD691CB1B25E78CCC0893DE88FA0A82D37D5AAA771F6DD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:41.265{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=785A11060B79CB7340FF0632D732A9EE,SHA256=B00A795C8CC3314B07C25524F86E094B2506E43CA880E00A04769A43AEF813E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:42.647{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EFB092BD8A3A4FFE303095858554C6,SHA256=D16D6C1CB0DEF1F5083B27A18A606541C932CD52D0EA0C6F760E9C10DDDC485A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:41.999{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC33FD0CDC2A1374F8ADD111FB4D4B40,SHA256=15E314C0F518DE3728A7C51D394233B197C73AF4324C9A7C32071BDD4FDE721F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:43.881{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:43.663{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F999976CE24C22946876052E35BAAD10,SHA256=9DF604A6330D5A852715AC285A08E5C4B889542544977DA41C4C6436E25DA595,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:43.015{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E011E2A350E0F376BF155CFB13E61967,SHA256=D979B4D482115CAF89B456875B5B883B62B4625BF8984A6B657A3ECF2BB51A2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:35.835{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52573-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:44.678{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD5AD9609D75AA7FF914B3AF5BE415B,SHA256=1BA7ED47D59243DEBA9E06ACA9BE72BA2769668A606F58721992EB72694CB36A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:44.046{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9FC2C81D7C268BC2C38E39F5231287,SHA256=78F4D965C1C891EC57CF6FED2BFE0FD5092AA97D1717B377B43FC8259F7E735E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:45.694{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D54C5BD982537E564732AFFD3E5C8B,SHA256=D73B144E10F754F0FE251CB6BB5FC3419BAE0E59ED19F93CE9CF8A50B404D8EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:45.048{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254349651EBB2B258EFEE2D6D8E1301D,SHA256=0F598F5B90047955D88448B078D79B00D95795368644E8C8A48F51BE7EB050AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:38.569{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52574-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000071066128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:46.710{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F4FE65EE6BD5814F82961857A8C958,SHA256=E5198A7EDE626B56768E42FFD00CE94FC535696C354116CE2871E18E0DC3E855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:46.083{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7AFDA7C4D3AF14A6B2FE73EF82B66E,SHA256=5DE62044E3A0A4A766B049E0F55602DD6F4E1F6BB3C4E791BBA84816BCFF95E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:47.725{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D006BDABBAF6489887838F697311077,SHA256=A468794BA6D7BD55CFCDB8C9AD230A0E97A6430D4609A83C5B8912524898F24C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:47.145{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=949EB4330A37D8E99BE7C9DE4990D45E,SHA256=55E07BD003EC4A81A89F936A533468DF823D1B57E2DF0375D0FE9C9B57570672,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:47.145{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B3D003876900B2133CCCD7C86443C2B,SHA256=92E304FC7EAAAE25BAD691CB1B25E78CCC0893DE88FA0A82D37D5AAA771F6DD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:47.130{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D289F3F1DF2EE7239B902C33658B1789,SHA256=119140C324CF7DAA8F68B826F46EA0920C2926D1FEC60E07663390574CF74E14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:48.741{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AABCF91728B28808D9FA3CD4297B14B0,SHA256=44D1971F2BA98614AB49AC7A05FA3ADE533F7864D6158241970DF7FF04427527,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:48.708{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=949EB4330A37D8E99BE7C9DE4990D45E,SHA256=55E07BD003EC4A81A89F936A533468DF823D1B57E2DF0375D0FE9C9B57570672,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:29.802{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52431-false10.0.1.12-8000- 23542300x8000000000000000150622315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:48.161{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C364D23EDD73F4F226D1E31D822B81,SHA256=A5A3DEB94D107D538E0240EBE6112D7AB758296220D4C7891CE57BC1C5FB77B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:40.944{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52575-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:49.741{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A2635B54341FBAECC5A73A7CB4F185,SHA256=17CB211AF834BFDAA4BB28B6021D04A2C5D4C42724014DEF9DAEE24E54A247B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:49.177{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B4BB4BEA825E6B1079DF44718BA01C,SHA256=EA56ACEF06BC76C39D61517925A022A15244223CF9C7F820ADA11AF1D54989E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:50.756{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CD32C49BCAE0809A87FA8A27C6FF36,SHA256=07690D5602F0A191606706A8567BEE96DE9C2A3D0660B88C9602F3FB24B59E2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:50.708{3BF36828-4B49-61E8-2D00-00000000CF01}3056NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:50.192{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75DE22766F9522CF9DE18F6ED2F0104,SHA256=AF8EA0D5ACBFA4670884CBE8A62E951C313FE0D27C09B2936DD0B32ED4BC6E43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:51.772{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F30E92042166E80459B0267024BB51,SHA256=C0C78C78A409D5D460E79739CBDEE8AC53069DF2E4C2395CDA4F32A2515E7A50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:51.755{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=523A15051C4145DC658B2DB438EDE47B,SHA256=F6FDB39AF6ACF4AA444063634DDFBBEE15A6EF4CA76FD64B6496744E5B54C439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:51.208{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00448DFCF578FF33B3AAEEC92BC533A,SHA256=D5BD49DBDABE6E6E36D93FD75644295F0C972E1FD75F1B5AE43629191759EEE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:52.788{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BA94C69C24294AC6B9E81D20DB94BF,SHA256=8784EFA871173476458D68891FE7F2611E4AAA84ED3D17466FFFD2FD0AA469B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:52.255{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012196CE56B417907F6B2F15ACD167D8,SHA256=B9E7F29FC9C99B5A562978A1DA5E39AAD4FDB140CBA55533A26B0055FD8E2225,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:53.803{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC11B05E889A5B399C3358B72742430,SHA256=6BAB9984AD7B82D069469BC74F5B67F0DF897739745D3F74B3647D430CD3AFAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:35.818{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52433-false10.0.1.12-8000- 354300x8000000000000000150622326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:34.365{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52432-false10.0.1.12-8089- 23542300x8000000000000000150622325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:53.270{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799C34EE27AE580177EF0CF800532C86,SHA256=6ACCEF15FFABC55D712AA0D0A1CE4C794671391BF5A7EFCA327B4F6CE53C80FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:46.788{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52576-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150622324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:53.161{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAD076607E351D9309318B1FA4D3C110,SHA256=F60B944068C00EAF8B29CF0B0C41C7A28BFB18338C1E0742FB2D2612341DA26A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:54.803{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2FF2B28ABDBDD703BD459143F43057,SHA256=5811002F9FF581D12D6C10F18B6FDBD02975295BA0F26BF2F6180114D8741352,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:54.302{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94633DD06A8768D0CEEC205EAEDD740B,SHA256=02D9B700A12E18BD1377B5966D4459A7736E405A8FE73322782D10CA13187CFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:55.819{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7FAF4CF40F53A676FBEB34A0D54FB9,SHA256=92A898ACD08C723F05CE17B51CF8A903EC3ADAD5C81BD4B2D17EE939FC6D75BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:55.317{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D3FAA839054C0C14B61179204C8DCD,SHA256=1475FD4928D7CA60F094E77E733DE1D76050F126D45A0E168F7CE213A6538B63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:55.069{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=82920C59B77BAC04427E9ECD0D303852,SHA256=8B0EC3A26C8FB1D120BAA6340A008B7F207B3DA3C20C0556538EB53B8742F9D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:56.835{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96B702E17AB4E13F6F19D2B9AD4CB5A,SHA256=70FABFC200C49BD72A801111ED8DF5E0506968EB9A7CB747563082B53F85821F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:56.348{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779E05E2D8E12E4FBEA43CBD0E7005EC,SHA256=44082A102BDEA2967ADA1040F43F2A320FDE0683D23C5C441B047CB51EA63965,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:57.835{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F05D0DA632174A145602FF10C1D03EC,SHA256=FCB5AE6F8895545C2D0DC80E67DA56776FA5353FB4AA9D4DBB454AE59F9A2D9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:57.380{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322C83667464C5749575153F145465DC,SHA256=1826E23B475FFDF7F469536A21703E7D0CEBFA859FCEBD477AEEA0AF72F6E2CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:58.895{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4308C356C0183C21BAC7865E41554FEE,SHA256=18169C7821D1B7A6BFE9F25EC8DD5F548FF19E4AC7F343DC1F0485DC73DDD69A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:58.895{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A99862416F8C51B328FCB1E8C08ACFA6,SHA256=EE438B551BBF4B893AE5DACF8FFD3C294F83A82E35573B7A62C0AF01B299F7D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:58.395{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E96D2154366F216B810B8C34C6F52D,SHA256=E658286F85F8E44CBFA8C8D1A9365606915E5688EE4264F3F45A65AB8D25EE8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:59.411{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0096B0366953DD13E43AAE77AD8984EB,SHA256=D08F52DA4EF2F7BC95791F63D5D49018FD5F0400E135BD50B6E3BA07B92BF564,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:51.960{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52577-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:59.006{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85077E7FC6EE0A7975BC63133B3AB595,SHA256=7A405833A6DB06CF85EC02CF87B0556EDE8BC53B2191911FFC8E2F562D422253,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:41.740{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52434-false10.0.1.12-8000- 23542300x8000000000000000150622336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:00.427{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C0469883D88631569EDBE6C7F9881F,SHA256=4D528DE75E130031B0008A96443AD53C1A918A10932496F9008F3780BAC3E111,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:00.241{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841ABC4ECF33FCA601861594595357C9,SHA256=AA31F762540802F64BC2A68207CEE76E09D74969C188DE27C64CAC40AD149ED9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:01.272{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9D1B90134DF61374440F73D04138B8,SHA256=BA314262A6787EF35AAD8DCBF1F474CC4E778E0CDB4030121B06FCE796186348,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:01.442{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C5FDBEB664DCC42A600773CCB1FAD4,SHA256=4AF375F4A9D6E04C89C2933E9B8E945DFEF78C1D9694A0721EA24BC81F8D976A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:02.303{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65E012837F1C6D0F556B0E631899C1D,SHA256=27D0E5FD7A2D0EB36385B74F21C47AF8AB98722BF5B6AE3E85C6F04E0084163F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:02.458{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97706F989330F3A24A34A96DBF8B204,SHA256=A54C51CA54B98BFE094758D5C4B56B01A99CF50E988B4E1B81BE129F8941F4B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.911{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150622387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.911{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150622386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.911{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150622385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.911{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150622384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.911{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150622383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.911{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150622382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.911{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150622381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.911{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150622380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150622379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150622374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150622373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150622370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150622369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150622368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150622366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150622365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150622364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150622362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150622361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150622360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150622359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150622358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150622357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150622355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150622354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150622353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150622352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150622347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.895{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150622341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.881{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150622340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:03.473{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B20373E1DA6E3D7F0FB284C7FA07B3,SHA256=2C7983F150BF360C94B8B165274614E7578D42175BEF98F113C422F3AC605C33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:03.303{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADE35F80C2690BF938B99E0172C0C03,SHA256=F201BB2B5540E117EF0D8E2AA10FB41682A7109E6E92C19A7045E863C49F70EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150622446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.739{3BF36828-9F18-61F9-270A-02000000CF01}13205568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.739{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150622444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.739{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000150622443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:46.802{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52435-false10.0.1.12-8000- 23542300x8000000000000000150622442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.630{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444F8AADFB274A3BCDE3DF4A40509470,SHA256=23C55E45F67785FDB278563F0E2DF1651CE20B55478EFE21179AE35442B8AC02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.598{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150622440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.598{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150622439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.598{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150622438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.598{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150622437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.598{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150622436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.598{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150622435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.598{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150622434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.598{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150622433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.598{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150622432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150622431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150622430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150622429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150622428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150622427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150622426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150622425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150622424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150622423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150622422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150622421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150622420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150622419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150622417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150622414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150622411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150622409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150622405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150622400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.583{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150622394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.568{3BF36828-9F18-61F9-270A-02000000CF01}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:04.319{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E779BAFF67AA1B49C37F91ACAFEE51B,SHA256=6A98045EFB555A6CB1AFEBB9ABE02E3A2874962FFDCBC6132B92C57E9E92196F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.177{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=186365B01F263D73C8CB23C451C55600,SHA256=02C4924989C6344A91F5253286B250A21F0369CEF225AADD8D31E84FF15625F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.177{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4308C356C0183C21BAC7865E41554FEE,SHA256=18169C7821D1B7A6BFE9F25EC8DD5F548FF19E4AC7F343DC1F0485DC73DDD69A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.052{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150622390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.052{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150622389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:04.052{3BF36828-9F17-61F9-260A-02000000CF01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150622448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:05.770{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D701EC5A7DCFB8D3AE25BE202CEDDA,SHA256=E6B211F445055009133B2908CAC5BFAC35A11DCBDC992F20663A44980A37DBE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:05.770{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=186365B01F263D73C8CB23C451C55600,SHA256=02C4924989C6344A91F5253286B250A21F0369CEF225AADD8D31E84FF15625F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:58:57.835{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52578-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:05.321{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D387F3D1F1ED5DD56AFB048CD0E0D9,SHA256=4D7BFEDDFCC9933E51C9386111E73DD187D1D39B2FB0A1976E99CF75F16DF996,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:06.833{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B75935D1D38A058AF512EB9ACB6264,SHA256=FEFDCCAA4E830A09C4FFC2DF6F6E63470D9EF6B708F11B03B374F86930686F5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:06.349{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CAEACF4A887B72C3CBEDE035BB1CB4,SHA256=BFF42331C280783D2BBE9358B8ECCFE37DFD0CE4801BB609D3659AAFF788D9DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:07.864{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF844197398CBDFDA1C3AA8DB05FBC84,SHA256=DE60CBCC23E673AD4908A1A25881ECE73E5BAD30401413E517BCC6E471989F66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:07.367{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F490BE8080047C38A4B748BAD89E8394,SHA256=ABA7FE93CF0C3D4D255EA1F5EB8F09E40211AAE00FCCC158A9349192DA54E0C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:08.895{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB026E8A2DCCD173A8D453DC634D1DC,SHA256=4B838A4329BC81C1840FE9C71E74E0019A84807CB38AFC9A92C6BDA0659D4D4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:08.398{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B16C1F4568DDDE95701E1B9D9A5FFD,SHA256=E653DAE2C435E2C173E21460491A1B45C35CA09FB30A8C29554674C116C9BAA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:09.633{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7A7834263401934F46634B39D9AFEA,SHA256=20D479A41F382E61DF4F48FD74E02627D61B1B46CAF147A84129AD3CBEECD2CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.942{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150622503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.942{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150622502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.942{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150622501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.942{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150622500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.942{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150622499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.942{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150622498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.942{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150622497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.942{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150622496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.942{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150622495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.942{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150622494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.942{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.942{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150622490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150622488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150622487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150622486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150622485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150622482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150622480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150622479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150622478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150622477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150622476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150622475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150622474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150622473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150622472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150622471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150622469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150622468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150622467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150622465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150622464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150622459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.927{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150622453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.912{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150622452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:09.192{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=405A6AC0B7177DC4572F62A203C1523B,SHA256=F34C01E929BDE133A8CEC7E0A3C8AC15B676EA20D76BBF9E72D55B8CC498FA3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.958{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D690B66AD32186B14149E5AB66FDD05,SHA256=E72010C23B90879FD605B7C8540EC029DDA24819C64699FE6B940E1B31FF46A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.773{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F1E-61F9-C409-02000000CE01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.773{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.773{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.773{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.773{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.773{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9F1E-61F9-C409-02000000CE01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.773{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F1E-61F9-C409-02000000CE01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.759{B81B27B7-9F1E-61F9-C409-02000000CE01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.727{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6BFBCAB9B52EED05690F69F4BF3329,SHA256=AE0089438F1C4E866AD87E8FC7112D171220C7140B019DD443BBBE2BD007DF81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.927{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35CF8DF03CFA71263C70906F119FD1DD,SHA256=F3F7B9CE16208BB1715FA4CA43FA3EE99890AFB9BD09AB15405DE45376F9424E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.833{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150622560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.833{3BF36828-9F1E-61F9-290A-02000000CF01}53124312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.817{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150622558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.817{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150622557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.708{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2864B798865565741D0645364E7C14A9,SHA256=68F40894641A83C643BC5F99B358BD587806E955273B441BCBBAC8605F451C4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.645{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150622555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.645{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150622554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.630{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150622553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.630{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150622552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.630{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150622551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.630{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150622550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.630{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150622549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.630{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150622548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150622547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x800000000000000071066164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.320{B81B27B7-9F1E-61F9-C309-02000000CE01}37724100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.133{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F1E-61F9-C309-02000000CE01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.133{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.133{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.133{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.133{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.133{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-9F1E-61F9-C309-02000000CE01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.133{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F1E-61F9-C309-02000000CE01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:10.118{B81B27B7-9F1E-61F9-C309-02000000CE01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150622542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150622541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150622538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150622537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150622535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150622534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150622533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150622532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150622531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150622529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150622528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150622527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150622526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150622525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150622523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150622522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150622521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 10341000x8000000000000000150622520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150622515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.614{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150622509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.599{3BF36828-9F1E-61F9-290A-02000000CF01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150622508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.348{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F725C8BD3A40B7B44EF4C6103A0618,SHA256=4A4E02D59CA3529FEC6F4FFC8AA55A52C7CAEEF0F365E163DC47F5AF5FC22AA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.098{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150622506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.098{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150622505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:10.098{3BF36828-9F1D-61F9-280A-02000000CF01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150622663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150622662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150622661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150622660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150622659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150622657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150622656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150622655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150622654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150622649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150622643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.974{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:11.742{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB8E3B3944A2D264D702D88FF540B6F,SHA256=73B42FC858D5416B5E4C602DCCCED1389309B6FBF8E3A68FAC50BA680C5C76F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150622642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.864{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.473{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150622614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.473{3BF36828-9F1F-61F9-2A0A-02000000CF01}25884396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.473{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150622612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.473{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150622611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.317{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150622610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.317{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150622609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.317{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150622608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.317{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150622607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.317{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150622606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.317{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150622605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.317{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150622604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.317{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150622603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150622602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150622597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150622596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150622594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150622593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150622591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150622589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150622588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150622587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150622586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150622584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150622583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150622582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150622581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150622580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150622579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150622577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150622576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150622571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.302{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150622565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.287{3BF36828-9F1F-61F9-2A0A-02000000CF01}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000150622564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:51.849{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52436-false10.0.1.12-8000- 10341000x800000000000000071066184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:11.414{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F1F-61F9-C509-02000000CE01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:11.414{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:11.414{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:11.414{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:11.414{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:11.414{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-9F1F-61F9-C509-02000000CE01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:11.414{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F1F-61F9-C509-02000000CE01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:11.384{B81B27B7-9F1F-61F9-C509-02000000CE01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:11.149{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EEB88F0AC23C4430C9E0F3E0A9C3E12,SHA256=FC285DC6DE341A5736C67B931E49CE9F853D5EB457D438603CD1E295D8358A6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:11.149{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B26E3964A0D7380305A7E84AFA42B0A,SHA256=4A6E4AC2E3201EE7AAAEC09E8D977BA8CD6E38EEDBD692362AC7B5C9A6609B2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:03.773{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52579-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:12.773{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE8FEB8F04064BC1691975BBED23ED3,SHA256=EACEEE6389F2EB8C87E7AE8EEBB7ECDBFDD57535AAF1899967F4AD0C41001922,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.302{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E470B604EA2A5E750CB86D79CBCED2AC,SHA256=293CA65EE4E1B666B1642FEB3026D7E6264D744B9E1AB4E9F903FF08FB9DBD80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.286{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4B06F0788762E4ACFA70AD7BF6BB4D,SHA256=486E57E93C415A4899B94A37D2C2B2A1F7CD877D9C3215C9B2B804E588F59E24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.270{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824DD247390765571AEACCA9882CB6C0,SHA256=9FA390ED92186A31A4E4EC470E373340D14F98837B05E7012FE09E60D1DC164C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.114{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150622692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.114{3BF36828-9F1F-61F9-2B0A-02000000CF01}45844660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.114{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150622690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.114{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150622689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.005{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150622688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.005{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150622687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.005{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150622686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.005{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150622685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.005{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150622684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.005{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150622683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.005{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150622682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:12.005{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150622681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150622680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150622674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150622673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150622670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150622669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150622668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150622667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150622666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150622664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:11.989{3BF36828-9F1F-61F9-2B0A-02000000CF01}4584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 23542300x800000000000000071066186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:12.383{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EEB88F0AC23C4430C9E0F3E0A9C3E12,SHA256=FC285DC6DE341A5736C67B931E49CE9F853D5EB457D438603CD1E295D8358A6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:13.458{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C711CE56E568AE4BF1CC2B5344B1F5,SHA256=69AFEFDC90817C2E65E5689E921DEBF411114DFB9370211DD6B3A2B793C7C079,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:14.489{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804043DE11468626571E68235C52158A,SHA256=9BDF3FFB817BE9B28B62CA78F6C16539BE9770D49A53CED650B766A4B12C5D03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:14.008{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2C282222743EAB03875C835DF1D2E9,SHA256=D40AC5630CB13592B12514115E9C5A2BD0106E8101C0E80AAAEAB8A87FBF5587,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:15.536{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098E5B1CA7C1501F65778C1489361C4E,SHA256=4BD7AF8FD44A04B5F4ECC4A4D2918FB4EF63C5EE5802B0CAF12EF7B5CEA04CBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:15.039{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78C193A0C79957DB53126F806CFFDD3,SHA256=AF52531B464D3D4B59505BE741F091288C3FCBFF40A540D1C35164BACDC44D00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:58:57.817{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52437-false10.0.1.12-8000- 23542300x8000000000000000150622699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:15.192{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C287C23CA40128339E74CA9C7756FE6,SHA256=1AA6C056525F3BBB1910765DDF963B0B999713FA34B0F08AD0FE4F64A7D216EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:16.552{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52059EF571CBE173284993A9BE07C85C,SHA256=745A6D60E72FFDAA695F0CEF4D0999E662E2A37A1A42BC80463F4F44BC7E4ACD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:16.039{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E57C23F507A701A7C4B760CFE83723A,SHA256=2D41454109B8E064C3F8D0D8BA2903294ACC9BA78B2BC16DAFE049379C9CB666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:17.645{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FFF490AFD58BE9B3364E74F6018CFA,SHA256=CD99A77DA5FAFF24EECF35B3C511B6FBB35FF260F7960C17C5FA4E7EEF5322EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:09.805{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52580-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:17.055{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B597CBE76CBC93C9187C03359E6D521B,SHA256=7C42F9425E99940CAE7AC8DDE55E5B038A10656B16F07EEDF137A5713370C021,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:18.661{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304C6EAF680D83508E3044BA7852A15A,SHA256=E582693A207548BCDCC4CEAD0189054F48625386B9AFD01F7357C9A0AC98E567,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:18.070{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4019EA8BB70B91250B10AF32A1BAFD,SHA256=5FC09275E3EBEDB09C53AAC21E82188737641EC67917FD17EA0DEF64DEEE4D9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:19.086{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D17EFE9A0011E5919B3116CC7013EA4,SHA256=3C9A96F22D0634A3D2C3A8629A6640820070369EF3825F8373BED8FF3EBA8E64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.645{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6DCD29E605CBF70C27E96CDB975D17BC,SHA256=DE8BC8D1D91F582F86A8B746992A3A7CC7D73F1926CD8F6F43833894733E544D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.505{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150622754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.505{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150622753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.505{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150622752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.364{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150622751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.364{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150622750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.364{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150622749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.364{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150622748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.364{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150622747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.364{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150622746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.364{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150622745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150622744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150622743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150622742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150622741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150622739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150622737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150622736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150622735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150622733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150622732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150622731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150622729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150622728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150622727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150622726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150622725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150622724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150622722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150622720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150622716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150622711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.348{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150622705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.334{3BF36828-9F27-61F9-2C0A-02000000CF01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:20.117{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC101AB3C0F25EFC12F59F5D829EB141,SHA256=94090307B13191AD7E84DCC86319AF059AEA14C81808462BEFA75DDF996DD6D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:02.833{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52438-false10.0.1.12-8000- 23542300x8000000000000000150622758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:20.177{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCF3F3441FA70D74B46C8357BC6DEBFB,SHA256=8DA17F6F27E33B60C30746F160D93679C7A4B3425A6EB5F26F566DB5262E8728,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:20.145{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508F384A0F810DBEE6D2D3D22E169C5A,SHA256=D62191913DE1E09691386B8B7BFCBC7C044F3118BE653AA7714BB1E5AC06F448,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:21.977{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F29-61F9-C609-02000000CE01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:21.977{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:21.977{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:21.977{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:21.977{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:21.977{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-9F29-61F9-C609-02000000CE01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:21.977{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F29-61F9-C609-02000000CE01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:21.962{B81B27B7-9F29-61F9-C609-02000000CE01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:21.352{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AB501D8B14EA031260A6842B156C79,SHA256=389B3676F2AA7A52C9218749C7E3D0886643F1BA0D962994C745156F65145048,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:21.161{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34BD65364087476F1F7825244F446A97,SHA256=9176D043C3062A597795B07E7A6F73DE87DB358F934C3C31514B0B143F4A8338,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:22.192{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590B794F81619541D620E03C2A51FA72,SHA256=B40A1DD3AEA0EAD9E7640CBD2396697268AF199B0F1198E8FF9F89C1B04928DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:22.805{B81B27B7-9F2A-61F9-C709-02000000CE01}1084872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:22.620{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F2A-61F9-C709-02000000CE01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:22.620{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:22.620{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:22.620{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:22.620{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:22.620{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9F2A-61F9-C709-02000000CE01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:22.620{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F2A-61F9-C709-02000000CE01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:22.603{B81B27B7-9F2A-61F9-C709-02000000CE01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:22.352{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6352E971874BA7DBFDCB47DA0552D885,SHA256=DD6CD74B46C31BB9C39810E3FECAEA9B797FC31D067A7DB34921F8E097178006,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:14.820{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52581-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071066205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:22.164{B81B27B7-9F29-61F9-C609-02000000CE01}31164528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150622762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:23.223{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292EE170B59A71A33EAFAD6022141568,SHA256=527F8A9FC26C88AF663F6648DC39B95C7B1DB267A4F6757241B8404A2DC8CA00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.930{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F2B-61F9-C909-02000000CE01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.930{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9F2B-61F9-C909-02000000CE01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.930{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.930{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.930{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.930{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.930{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F2B-61F9-C909-02000000CE01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.915{B81B27B7-9F2B-61F9-C909-02000000CE01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.367{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3222954B7FE22D270096FA71303A95,SHA256=8F9BA686241DB2B9F260F49ECD8A5A42AE7322E45153A751E4A0ADBC3D4637B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.242{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F2B-61F9-C809-02000000CE01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.242{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.242{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.242{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.242{B81B27B7-4B39-61E8-0C00-00000000CE01}7362500C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.242{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-9F2B-61F9-C809-02000000CE01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.242{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F2B-61F9-C809-02000000CE01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.228{B81B27B7-9F2B-61F9-C809-02000000CE01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.008{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=209607CA751E6D46962FBC5BC9970525,SHA256=76F39C5D4ADF2253B86081A48DB63BA7D5C579985387DD443F8D56F88AE92A63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:23.008{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=336EE3BC52AF51A2EF2AAFBD4E9AE845,SHA256=1A9AC47C4AC47A518A9B496AAC5E3FF0FCC915C0FA385B6B051D45F9D8B1EC4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:24.383{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F695D2DB30104CCE7F68AA68CA0F44CE,SHA256=917184C84E42D2A5994293038CD81FA56842D429AED7F682774259840B88580E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:24.239{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3DB31DE952BC938D70D6B2384C5CEF,SHA256=95024E6D50B2AE8979702B15E098ECF070255CC05C515800D31F9C7FA46BAE62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:24.289{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=209607CA751E6D46962FBC5BC9970525,SHA256=76F39C5D4ADF2253B86081A48DB63BA7D5C579985387DD443F8D56F88AE92A63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:24.133{B81B27B7-9F2B-61F9-C909-02000000CE01}38363276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071066239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:25.508{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BB21432A04E900CE5451FCD13F180F,SHA256=F7D0CC04D05E9F4E025413A68F0B5690FEE9F5FA405E0AC62EEF55CD2AFA2C59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:25.255{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3147AB56904ACEFA3CE159B60A4D7EEF,SHA256=44CCA69A7A54A85CD3802BE53EF4AFEF131A92F2F0D73D05D9BC936300E9745C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:26.742{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DDBC431E379BB25E724B64E794D1E6,SHA256=D9729DE147F1EB29D01582F22D13D470C4168437C3802C44D4F36FC2BAABF4D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:08.833{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52439-false10.0.1.12-8000- 23542300x8000000000000000150622767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:26.302{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21AB58E0560C89D43EAAA62CE20E8E88,SHA256=B7C36BDBF7E22B47E4BD1052C70D5E7DE4B6E2BD2523CF95A5220C2639A17085,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:26.208{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02AD64CF760522A89790AD09741516DD,SHA256=CD510D27C01828155B6387C6FCF6533BD10B1A95CA668A504CBFD4CD8BB02CCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:26.208{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=883DE5235EE5DCEE635374D13F4314D9,SHA256=D3F2289FB917C86752DE5B3ED3F09187B6CB60F47E5063CB74B117E1E5356665,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:27.774{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBAB9A9B2AE136477A63638CE6D1FF4,SHA256=E0420B93A5260ED90B9671E06A6F56C15EE6FECFFA13D3318406E3566394EA86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:27.302{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B424E011812A99BB246CC7B41A1AA3D3,SHA256=19A20B01B0AAFBB3C80C57F1F35C3C097A399B8635EDB5AEA8A946B59619F606,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:19.883{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52582-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:28.992{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EF809E2FC47FD8C2F084B6DE16DFC5,SHA256=F39BBF8FF1161C4C33117E1792F54D1CFE3BD78769310BA7BFBDE283F24318E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:28.349{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4632A18845F33EDDDE649E87DC38211,SHA256=19BB9A2D52DA92052C340B08E09EFAD9293FD795FC09D9FB663440D878DE75EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:29.427{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DFD5E2A9D52D173141A008FDBB9FAC,SHA256=8084EB325B4271498E120657F3FB7A4FC73330306D21C98EA4F025264D103E3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:30.442{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21CE97E5EE31565FE0DA7857D3BD574,SHA256=656BC6F9B0F2DCDB55ED0258501EAC7EA866B5AD0D93508C89B66BBCEAB4EC7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:30.070{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F4FBA1C452394CE1F407DE3D4C964C,SHA256=09228893DA66E2426774EDFB9A2D5AE6318C051B0083D44A0BAAD7AE8A1B481C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:31.458{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF438B832EE4E49DBBA0683B675CFD08,SHA256=3FF390E6B488CDC2C284BCAA22E8E9AE4F6E43FB145A5BFDAB48EF2029C8D64A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:24.914{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52583-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:31.133{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E40B59EA586BC67169C353E2628721C,SHA256=A1195245FEC3F9DB703320AF9D161EB77C8E83B798B15763ED99C5A7BA85731D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:31.286{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85F6F4F972BCC038D1ADFF3BD4D90A1F,SHA256=E345738710E03786818A76E979BF6E653069C5EAAE6DCD96BD203156453F0C56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:31.286{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02AD64CF760522A89790AD09741516DD,SHA256=CD510D27C01828155B6387C6FCF6533BD10B1A95CA668A504CBFD4CD8BB02CCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:32.473{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B7218DBEA6F0C133AEB1278742E6AD,SHA256=3CC2803DBAF0607768133618D74827EBD04913432022E31C2DBB5DD2CCEA29A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:32.727{B81B27B7-73DE-61F0-77F6-00000000CE01}44762140C:\Windows\Explorer.EXE{B81B27B7-7762-61F0-F5F6-00000000CE01}3668C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:32.727{B81B27B7-73DE-61F0-77F6-00000000CE01}44762140C:\Windows\Explorer.EXE{B81B27B7-7762-61F0-F5F6-00000000CE01}3668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:32.727{B81B27B7-73DE-61F0-77F6-00000000CE01}4476224C:\Windows\Explorer.EXE{B81B27B7-7762-61F0-F6F6-00000000CE01}3184C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:32.727{B81B27B7-73DE-61F0-77F6-00000000CE01}4476224C:\Windows\Explorer.EXE{B81B27B7-7762-61F0-F6F6-00000000CE01}3184C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:32.727{B81B27B7-73DE-61F0-77F6-00000000CE01}4476224C:\Windows\Explorer.EXE{B81B27B7-7762-61F0-F6F6-00000000CE01}3184C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:32.727{B81B27B7-73DE-61F0-77F6-00000000CE01}4476224C:\Windows\Explorer.EXE{B81B27B7-7762-61F0-F6F6-00000000CE01}3184C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071066247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:32.242{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9A3350C70884FF66643BC86076C5D6,SHA256=3FC75C1CF7C08693CAA8EA3F2A9D15198077408E62A15D79A50E9B7D0297350A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:13.911{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local52440-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150622776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:13.911{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local52440-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000150622780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:33.489{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809F47B4AEE47BBCBAE3EB589D06D5C9,SHA256=98B4468FD0888512C50E8286F78EA0081E9C8CA9D864B0F582DB493FCB0D0414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:33.242{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947866177E244F723244D7B1222F9E7E,SHA256=7C2B472E5707954CC48B57AAB7C75487146A1536F873069D68D9C74CBDB73190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:14.739{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52441-false10.0.1.12-8000- 23542300x8000000000000000150622781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:34.520{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7A59192B1FE833719574A964384EE6,SHA256=6D29E924E27EDE7754FBE120AD64C42D07A8F501055E32A3AA706D493766621F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:34.243{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4536B8D516D34000B532B1A379168FDF,SHA256=4602B3DDC15095EC03D56491C130CC0DAE9B07B4019ACE38A6338DCA02BB7F09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:35.552{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E93C9BA14184B1EDDE8361AB7C01BF,SHA256=08C5CF5B90810547A2BF9591C4BE6CEE3146C58A3D38A87F3612AAD2D50D67F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:35.258{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE14891C65E929AEF920509B0B53B2C,SHA256=21C83DE69877F118081DF2CEB75CD869FFBA53E1DB8B71ABB346FC88CBBE5FD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:36.258{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F9D03398E23381D703A1A9F2B1E211,SHA256=59DD67ECD38F7D7D8294865056FF26C097F2CA9929B5EE2C21F77D791F3C357F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:36.567{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F602E2C3DA98FCE1AD64A545D3FA9306,SHA256=51EF561F857FB37AEAA41C0434E3F799A8B6B05A2C11FBBE321F635E9DB857C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:36.149{B81B27B7-4B38-61E8-0B00-00000000CE01}6403112C:\Windows\system32\lsass.exe{B81B27B7-4B35-61E8-0100-00000000CE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000150622786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:37.583{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6A55DF72B48E7D393B39E388048342,SHA256=E56BB92AD807B03B759CF0A7766E3C58DF7EF96C77B9C130CC7AAEC0EEBCAB22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:30.853{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52587-false10.0.1.14-88kerberos 354300x800000000000000071066262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:30.851{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52586-false10.0.1.14-88kerberos 354300x800000000000000071066261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:30.849{B81B27B7-4B35-61E8-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52585-false10.0.1.14-445microsoft-ds 354300x800000000000000071066260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:30.804{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52584-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:37.289{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67815B220036D809B49227DB525002C8,SHA256=50500B9B68E8B2B816B45DFF9AB966747764712847ABD42048540008D150A59F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:37.177{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63667986E84BDD2536889826A49E578F,SHA256=F04CAA3542FBB6E48975D2B7FDC1F7FC33F79E497B4601AFF08C7629AF5428B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:37.177{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85F6F4F972BCC038D1ADFF3BD4D90A1F,SHA256=E345738710E03786818A76E979BF6E653069C5EAAE6DCD96BD203156453F0C56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:38.598{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA8BC63EAAAB6EB3A6DC83CFD767B22,SHA256=12499392DD22D67D1DC8D1C3B7075220C6954D66E8BC59312BFA107EEF888CC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:38.352{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2773AD012652701B30A390CA347ED575,SHA256=107C2F2E3F88D4C4743FA53D8A9EA12060C9ADC3BBDDAA224B49F25150D9C145,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.826{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52443-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150622791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.826{3BF36828-4B49-61E8-3000-00000000CF01}2408C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52443-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150622790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.822{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752587-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x8000000000000000150622789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.819{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752586-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x8000000000000000150622788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.817{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752585-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000150622787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:19.786{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52442-false10.0.1.12-8000- 23542300x8000000000000000150622794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:39.630{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD353FE8DBB42C343C0C5B72E5A8970,SHA256=2F781AEA25034AFADCFAAB12952F1FB27AD6BBDC6EC59E9D419CB12018888173,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:39.352{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A3B192206D6D3EEAF2543914896E65,SHA256=CBF23324A8F81562950EF5498F8EA53A60C5E0C3EC57B259EFC0244494B2AF9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:40.661{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821A5EC591FD3B672180B38990A4CAD7,SHA256=ABDF96A19FBAF33302BAD3A6A949FA4944B60044CCD4ED55BAC7BE7E009B5ECC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:40.352{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4B14A10B9840479D56B837BA63A594,SHA256=6887FA99FBCD229E447159BAC2E7BFCC328EE2C4150C2CFF777ED8F8B5DE3E62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:41.586{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB16CE21D0092E491CD8D1ABAB8B6C9C,SHA256=45E6EDDB8970E59D9D86B1588E8A1F8DE806AC520B4CD03AFFEFB86F11BF601E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:41.677{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB05AA90D0A338057AFBFACD99AA4903,SHA256=C08C219611BF46DDE6110889C13ACDC549504014686CDBE8A8ED44AC275CE355,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:42.711{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2A5418BB31E35AD848138E4AADA931,SHA256=F30D3AD446A5CE1D45E1BD529F3F5687AF93A95A00805013BFF4002EA4245D9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:42.692{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4137361EC184827767C5086C4AA924B1,SHA256=960AD1CBA0A7B9E74E55022130DF0520FDDC76B60754500BEEEC2A06D4838E9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:42.302{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=685AF866B82E6D6FA8A12117314DCB9B,SHA256=6278A019532A2BFAA52AD90AC32B0023FDDFBD5BE8A7B0E31FC17DDC154D12A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:42.302{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63667986E84BDD2536889826A49E578F,SHA256=F04CAA3542FBB6E48975D2B7FDC1F7FC33F79E497B4601AFF08C7629AF5428B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:43.899{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:43.883{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1828AE3F2E4F07DF19B58F01EDD57265,SHA256=5951B92D8E9B6FA65A43471001F2EF9B90DCEB419CBAE4D69AE6C3BF1F5FBB8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:35.851{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52588-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150622801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:43.708{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CBA9356DA7FEEF3DBD3AB4F220735FF,SHA256=F5597DB4CBF8E795090AB6836DE0575EC0EB4EB4DDE3E6DD81D1E7E6F993160C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:24.864{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52444-false10.0.1.12-8000- 23542300x8000000000000000150622802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:44.709{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946DF8269B2A0E05A51AF41D5B6A8982,SHA256=23C0232F2A60B6508E0ACC6C3B8C95D59D6412E7EA65779982C3F4D18076E6A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:45.754{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47888BE8F8AF0D94EBA0F157FDBA36E,SHA256=86CA864CBE6E1BD9D4A1CFF0CBDB63BD1901619476A55DC86D7C7D701ECD434C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:38.586{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52589-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000071066272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:45.117{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816F3805696714E5A14E308EA9FA3555,SHA256=D0B29D89829BA5FBFAE39B627657BAC315D37DABB1CEA43BAB07DC175C797987,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:46.757{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE045D2198EF61326146143DD70F2CB,SHA256=26A9D054706F8AE48E10809512D745E11660507B418D1206021E1618DA105A36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:46.258{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6489649DA4739594B9D26F91C46728B,SHA256=5F3F57479D2B67C6E37F7E1EC0C6F7E86CBC236AD4421C6021638F578CDF6C2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150622810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:46.694{3BF36828-0669-61F8-11DA-01000000CF01}60684548C:\Windows\explorer.exe{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:46.694{3BF36828-0669-61F8-11DA-01000000CF01}60684548C:\Windows\explorer.exe{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150622808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:46.694{3BF36828-0669-61F8-11DA-01000000CF01}6068ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150622807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:46.694{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:46.694{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:46.694{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:46.694{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150622814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:47.929{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C1C98F413B93ECA0C46FEAFFB5BE5CD,SHA256=8F07613DEE7C33E931F54D9201C8BB13230AE422DA2A6D5A7450A426E31720E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:47.929{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=685AF866B82E6D6FA8A12117314DCB9B,SHA256=6278A019532A2BFAA52AD90AC32B0023FDDFBD5BE8A7B0E31FC17DDC154D12A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:47.772{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412CED99AD361D1872417E874FCAF24F,SHA256=250FDA4C9B832D343521056E3B067052C37A3DB1916F212C43345EE3FAF4407D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:47.383{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA807B9EEB9DA4874CC64E8B1994031,SHA256=3394DDA2B6FF47356B5747FD37BFA60CE10DA6EC9CABA4D50CEDBB54A5F03946,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:48.383{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F13B753C7D2563622272991B2FBF210,SHA256=6FECE51E2666B999FA1B81E7FA910028E5C6B3CE87796A814BBEBC3DA2DCC668,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:48.788{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F106FBAAD1978669E25EEE6FC1D7B427,SHA256=E3975D5CDBE5CCF2BA47E407E54051FE794D5FA8EBAD2540AA6727CC33021E8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:40.930{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52590-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:49.399{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F465AE753A1D60E50CEA63D9CD916D7,SHA256=D1984168D8687CD38C160AF0D877DAFDB6598F765873534CCC87B67F9F1444B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150622956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.991{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.991{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000150622954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.991{3BF36828-DC58-61EA-5F4E-00000000CF01}27725632C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.991{3BF36828-DC58-61EA-5F4E-00000000CF01}27725632C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000150622952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.991{3BF36828-DC58-61EA-5F4E-00000000CF01}27724728C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.991{3BF36828-DC58-61EA-5F4E-00000000CF01}27724728C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000150622950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.991{3BF36828-DC58-61EA-5F4E-00000000CF01}27724728C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.991{3BF36828-DC58-61EA-5F4E-00000000CF01}27724728C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-0669-61F8-11DA-01000000CF01}60682156C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-0669-61F8-11DA-01000000CF01}60682156C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150622946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-066A-61F8-13DA-01000000CF01}3168ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2OZ2JCZ6\microsoft.windows[1].xmlMD5=0E4B83CFA6232D6B470A93495F6F97E8,SHA256=B0DB2E55BA70B75327E9ECE644C348946FAA0A3B5650578DF2A1F62F3F698B37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\execmodelproxy.dll10.0.14393.0 (rs1_release.160715-1616)ExecModelProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelProxy.dllMD5=A0251547D09C624F5E0FDFED5F14C834,SHA256=A6E167A77AC44A73323B8FF65E1FA2BAEDC0E092255F81FE041B35D40970FF90,IMPHASH=B1BB7A0B17604581DFBD9AE821306153trueMicrosoft WindowsValid 734700x8000000000000000150622944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 10341000x8000000000000000150622943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-DC58-61EA-5F4E-00000000CF01}27725632C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-DC58-61EA-5F4E-00000000CF01}27725632C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 734700x8000000000000000150622941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 10341000x8000000000000000150622940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-DC58-61EA-5F4E-00000000CF01}27724728C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000150622939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-DC58-61EA-5F4E-00000000CF01}27724728C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x8000000000000000150622938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 10341000x8000000000000000150622937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-0669-61F8-11DA-01000000CF01}60684288C:\Windows\explorer.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-0669-61F8-11DA-01000000CF01}60684288C:\Windows\explorer.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-0669-61F8-11DA-01000000CF01}60682156C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-0669-61F8-11DA-01000000CF01}60682156C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.976{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ExecModelClient.dll10.0.14393.4169 (rs1_release.210107-1130)ExecModelClientMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelClient.dllMD5=178BCB2B937C94CA144C326FD678A322,SHA256=932D0710FD612EDBE2D0433ABE294AD17D23CB8D43DE7F4CD8E01C58D279C1CE,IMPHASH=B1099E1B098B6F4C7DC6D071206DFC70trueMicrosoft WindowsValid 23542300x8000000000000000150622932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.882{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83BB58DA2C69BEF6B79C455EDBA0856,SHA256=84BDDA634FDA6AE2C82A76C54E67FE6975DE81C19D4986E7391919AD615DFDE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150622931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:30.772{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52445-false10.0.1.12-8000- 734700x8000000000000000150622930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\indexeddbserver.dll10.0.14393.4169 (rs1_release.210107-1130)IndexedDb hostMicrosoft® Windows® Operating SystemMicrosoft Corporationindexeddb.DLLMD5=C137C0628B2EE5F6703F2D9770E4F128,SHA256=862C55A237F523E0919348D42CDB57D204555C05FA84E32D77ACB4778F6AEC94,IMPHASH=F2930DCF8E4EC6905600CC18B9275F1FtrueMicrosoft WindowsValid 10341000x8000000000000000150622927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150622924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150622923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150622919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000150622918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.335{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000150622916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150622914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000150622910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-DC57-61EA-584E-00000000CF01}10404376C:\Windows\system32\csrss.exe{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000150622909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000150622905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.320{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-9F45-61F9-2E0A-02000000CF01}4560C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150622903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.258{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BE47F022412BE3184A2C81FCEADB46,SHA256=56CDA7A27A2438B8101F2664B550FB4BAFDF361ADADAE2366BF7BB0EF6132629,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150622902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.241{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150622901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.241{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150622900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.241{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\indexeddbserver.dll10.0.14393.4169 (rs1_release.210107-1130)IndexedDb hostMicrosoft® Windows® Operating SystemMicrosoft Corporationindexeddb.DLLMD5=C137C0628B2EE5F6703F2D9770E4F128,SHA256=862C55A237F523E0919348D42CDB57D204555C05FA84E32D77ACB4778F6AEC94,IMPHASH=F2930DCF8E4EC6905600CC18B9275F1FtrueMicrosoft WindowsValid 10341000x8000000000000000150622899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.241{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.241{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.241{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150622896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000150622895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150622893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150622892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150622891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150622889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000150622888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150622887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150622886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150622885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150622884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150622883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000150622882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.226{3BF36828-DC57-61EA-584E-00000000CF01}10404376C:\Windows\system32\csrss.exe{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000150622881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.210{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150622880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.210{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150622879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.210{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150622878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.210{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000150622877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.210{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150622876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.210{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-9F45-61F9-2D0A-02000000CF01}5760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.179{3BF36828-DC58-61EA-5F4E-00000000CF01}27724728C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.179{3BF36828-DC58-61EA-5F4E-00000000CF01}27724728C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.179{3BF36828-0669-61F8-11DA-01000000CF01}6068720C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.179{3BF36828-0669-61F8-11DA-01000000CF01}6068720C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150622871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.179{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B72F9F35ED87491BF91B34F6C30E8F,SHA256=3D85A0074D7276ED8157C41ED07FBF31986797804658183AA86B725E694268A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150622870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.163{3BF36828-0669-61F8-11DA-01000000CF01}60684548C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.163{3BF36828-0669-61F8-11DA-01000000CF01}60684548C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150622868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.163{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.Cortana.ProxyStub.dll10.0.14393.0 (rs1_release.160715-1616)Windows.Cortana.ProxyStubMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Cortana.ProxyStub.dllMD5=7806FE9D293F066147ED111F7945D18A,SHA256=2C05FEC5EDDFE93E4DE67FA816B5D52273F78F71FCFA53C39CAE2B9B925CA25F,IMPHASH=18518A03148257ED1E3E823BF427D938trueMicrosoft WindowsValid 10341000x8000000000000000150622867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.163{3BF36828-0669-61F8-11DA-01000000CF01}60684548C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.163{3BF36828-DC58-61EA-5F4E-00000000CF01}27724728C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.163{3BF36828-DC58-61EA-5F4E-00000000CF01}27724728C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000150622864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-0669-61F8-11DA-01000000CF01}60685652C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000150622863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-0669-61F8-11DA-01000000CF01}60685652C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000150622862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B49-61E8-2B00-00000000CF01}30001008C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000150622861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B49-61E8-2B00-00000000CF01}30001008C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000150622860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9001400C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9001400C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9001400C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9001400C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9001400C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9001400C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9001400C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9001400C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9001400C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9001400C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9001400C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9001400C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0D00-00000000CF01}9005436C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150622830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150622829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150622828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8405416C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150622824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150622823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150622822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-0669-61F8-11DA-01000000CF01}6068720C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-0669-61F8-11DA-01000000CF01}6068720C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150622817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.147{3BF36828-0669-61F8-11DA-01000000CF01}60685652C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x8000000000000000150622816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.132{3BF36828-0669-61F8-11DA-01000000CF01}60685652C:\Windows\explorer.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 23542300x8000000000000000150623031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.991{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6667D117CE0FD3B1C5474E5B3E9C36E,SHA256=D207DBCDF5D08AEF5C6084DA8B86C60B88107D795A929CD91CFB26A126355543,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:50.399{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D58C8ED7E93DAB1FCB5BD60DD502F65,SHA256=CFA81218D252EB08227EFE735D3F91C9B29166A4C737EB92EA08EC4771489346,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.866{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FEAD1FD49566549EDF104EB650D0B8D,SHA256=D2D9327F480557D6927A70BC232124623B66565B8D66279F321F34CA6DB93C9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.788{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.788{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.788{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.788{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.788{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.788{3BF36828-DC58-61EA-604E-00000000CF01}38724180C:\Windows\system32\sihost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150623023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.726{3BF36828-4B49-61E8-2D00-00000000CF01}3056NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.711{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.711{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.711{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.711{3BF36828-4B49-61E8-2B00-00000000CF01}30001008C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000150623018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.711{3BF36828-4B49-61E8-2B00-00000000CF01}30001008C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000150623017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.444{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.444{3BF36828-0669-61F8-11DA-01000000CF01}60682156C:\Windows\explorer.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.444{3BF36828-0669-61F8-11DA-01000000CF01}60682156C:\Windows\explorer.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.241{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000150623013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.241{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000150623012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.241{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150623011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.241{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150623010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.241{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150623009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.241{3BF36828-DC58-61EA-5F4E-00000000CF01}27724408C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150623008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.241{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000150623007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.241{3BF36828-DC58-61EA-5F4E-00000000CF01}27724408C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000150623006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.241{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150623005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.241{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000150623004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.241{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150623003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.241{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000150623002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.210{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C1C98F413B93ECA0C46FEAFFB5BE5CD,SHA256=8F07613DEE7C33E931F54D9201C8BB13230AE422DA2A6D5A7450A426E31720E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.147{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041998717180C6E8A26FE71ABAF6ECC6,SHA256=952C6B00E23F420A772FB895ECC4C542CF1573064346DE0AB8E95DC75BE00FA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.132{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000150622999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.132{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000150622998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.132{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.132{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.132{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000150622995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.132{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000150622994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.116{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000150622993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.116{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000150622992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.116{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.116{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.116{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.116{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.101{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.101{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000150622986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.101{3BF36828-DC58-61EA-5F4E-00000000CF01}27724408C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.101{3BF36828-DC58-61EA-5F4E-00000000CF01}27724408C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000150622984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.101{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.101{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000150622982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.101{3BF36828-DC58-61EA-5F4E-00000000CF01}27724728C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.101{3BF36828-DC58-61EA-5F4E-00000000CF01}27724728C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000150622980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.101{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2714F8B51E433383B439C4A60BA79788,SHA256=16E91D14752E4EBCF2793AD4B6D6EF09CE8749CBA1B82586B7BC7A22145078CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150622979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.054{3BF36828-066A-61F8-13DA-01000000CF01}3168ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2OZ2JCZ6\microsoft.windows[1].xmlMD5=194F969136097907859BCA2B93428928,SHA256=F087DF1A781FBE4E5A701338A52E586FA33F9CD4E82B8580CB6F6B8138F914BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150622978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.038{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000150622977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.038{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000150622976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.038{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.038{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.038{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000150622973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.038{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000150622972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.038{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.038{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.007{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000150622969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.007{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 734700x8000000000000000150622968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.007{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\thumbcache.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=C146766884A92B154F2EB38463F2263D,SHA256=48C5CC7760187EDB140A904D3AC5FD24F740973CDBA07962047859F84E7BEB9C,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x8000000000000000150622967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.007{3BF36828-DC58-61EA-5F4E-00000000CF01}27725024C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000150622966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.007{3BF36828-DC58-61EA-5F4E-00000000CF01}27725024C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 734700x8000000000000000150622965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.007{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000150622964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.007{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twinui.dll10.0.14393.4169 (rs1_release.210107-1130)TWINUIMicrosoft® Windows® Operating SystemMicrosoft CorporationTWINUI.dllMD5=7F1F1B63C8AA1D6EA1057589ECF0AC12,SHA256=4E20B33E2E951359C9FEBD1EE66A2B24E5BAACB0C6CFF5E3543CAAB00C99AA91,IMPHASH=B98A56301D4EF217B14C24D92F13B2B4trueMicrosoft WindowsValid 734700x8000000000000000150622963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.007{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.UI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=FEC31833E8D13591BAECE59B8E39F53C,SHA256=424BAEA0DC8EF34305A881F9B36F22E8CFECA403A0D03B61782D69535387A401,IMPHASH=B073DE28C43175420FE754415439CCEAtrueMicrosoft WindowsValid 10341000x8000000000000000150622962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.007{3BF36828-DC58-61EA-5F4E-00000000CF01}27725632C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.007{3BF36828-DC58-61EA-5F4E-00000000CF01}27725632C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.007{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150622959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:50.007{3BF36828-DC58-61EA-5F4E-00000000CF01}27722228C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000150622958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.991{3BF36828-0669-61F8-11DA-01000000CF01}60685652C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000150622957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:49.991{3BF36828-0669-61F8-11DA-01000000CF01}60685652C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x800000000000000071066280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:51.414{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C583E819CC4BFEA48B10E32C0BF0701,SHA256=16281AF7D38D09C352209D2F923F7BBA302BE328EF78D72D1E572637CB704D45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.741{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9549C222C7A97E12F7BC8B825E5F73D5,SHA256=885C92139789BF5E30E1E3FBBB4EF30633DE2443014BC2A7C983F93B2DD3D394,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.460{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.Storage.Search.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Storage.SearchMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.Search.dllMD5=17D1040EDBA639BD1C2F7577D1070498,SHA256=E3F2CF21782C856A639525E84FF3C413C7CD091297C9A248CBC24541E2D76584,IMPHASH=DE60A0BFF7F6069AA615B149D44D1D3FtrueMicrosoft WindowsValid 734700x8000000000000000150623047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.413{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\SharedStartModel.dll10.0.14393.4169 (rs1_release.210107-1130)Shared Start Model InProc ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationSharedStartModel.dllMD5=1ED630477E6FEFE3C7722FDBA69D905F,SHA256=96846D692A680859F229E9E8BA01A04DB81808871F61E1D1674919DBCF333287,IMPHASH=D57A6858D1CBDF14F3CE8801F944C825trueMicrosoft WindowsValid 10341000x8000000000000000150623046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.444{3BF36828-4B39-61E8-1400-00000000CF01}10721200C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.444{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\MSWB7.dll10.0.14393.2791 (rs1_release.190205-1511)MSWB7 DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSWB7.dllMD5=5C7C3EBF7A50560DE37B750F3BB0F2B2,SHA256=227474B4306F6FA4F4A7EC5DAE2E91104BA6A156E31BDAD4B82D2E5426A53729,IMPHASH=A39738A99E764D3F4E439E2498C99B04trueMicrosoft WindowsValid 10341000x8000000000000000150623044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.429{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.429{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.429{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FA,IMPHASH=D919FF32201FBB7C5B3EF498D589EAE4trueMicrosoft WindowsValid 10341000x8000000000000000150623041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.429{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36f20|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f80|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22534|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2a24|C:\Windows\System32\SharedStartModel.dll+b2fab|C:\Windows\system32\windows.cortana.Desktop.dll+a274|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f 10341000x8000000000000000150623040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.429{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.429{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.429{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.429{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.413{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.413{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.413{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 10341000x8000000000000000150623033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.413{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150623032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:51.413{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x800000000000000071066281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:52.430{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB89CA03B526F6B2E51CF1392389C88,SHA256=5259413EF34179D1D1292140FD370A6F73FBAA3A3E8AFFDEF83AAB18CDC00AEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:34.383{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52446-false10.0.1.12-8089- 23542300x8000000000000000150623142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.522{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E992BBAE472F89C609DC881D2D470E,SHA256=1FFCF47C2F289CD905DE0906119A5D82065C0B00D7119FB3D8BCA9B126B39549,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.507{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\System32\cmd.exeC:\Windows\System32\winbrand.dll10.0.14393.2515 (rs1_release_1.180830-1044)Windows Branding ResourcesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinbrand.dllMD5=CDA73668510FF0BA02967236A857CE7B,SHA256=24ADC4950116C2E3994450465B305D469B78F687EAADCBC167A8C4ECD4907306,IMPHASH=2C424150D7AE913E28B879B06042C9F2trueMicrosoft WindowsValid 734700x8000000000000000150623140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.507{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000150623139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.491{3BF36828-0669-61F8-11DA-01000000CF01}60684548C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.491{3BF36828-0669-61F8-11DA-01000000CF01}60684548C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.491{3BF36828-DC58-61EA-634E-00000000CF01}45404808C:\Windows\system32\taskhostw.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.491{3BF36828-DC58-61EA-634E-00000000CF01}45404808C:\Windows\system32\taskhostw.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.491{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 10341000x8000000000000000150623134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.476{3BF36828-0669-61F8-11DA-01000000CF01}60684240C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+f744|C:\Windows\explorer.exe+1e118|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.476{3BF36828-0669-61F8-11DA-01000000CF01}60684240C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+f744|C:\Windows\explorer.exe+1e118|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.476{3BF36828-0669-61F8-11DA-01000000CF01}60684240C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.476{3BF36828-0669-61F8-11DA-01000000CF01}60684240C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.460{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.476{3BF36828-0669-61F8-11DA-01000000CF01}60684240C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.460{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.460{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.460{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.460{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000150623124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.460{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 734700x8000000000000000150623123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.397{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\msi.dll5.0.14393.4350Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=DEC633243BDCEAD0E3BDDDAFBC933F02,SHA256=FC9AFA9CDD6ECC1194C1532F37AF6FEE9E888DC5D2056BCE0C59538A389FC9DE,IMPHASH=702DDC1509DE604C8D612A66E9E39DACtrueMicrosoft WindowsValid 734700x8000000000000000150623122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000150623121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150623120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150623119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150623118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150623117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150623116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150623115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150623114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 10341000x8000000000000000150623113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150623110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150623109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}25045708C:\Windows\system32\conhost.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150623107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000150623105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.429{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150623102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150623100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.4402 (rs1_release.210426-1725)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=EBEFEF1FE2B0D6FF2595203DADE100C9,SHA256=70F4BB4198467DA8E2FD7AF475536B3F2FD1B3E56CEE7E376D0303C149C449F9,IMPHASH=49A59B06FE5B10F21E36B588430BFDB3trueMicrosoft WindowsValid 734700x8000000000000000150623093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000150623092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-DC57-61EA-584E-00000000CF01}10404376C:\Windows\system32\csrss.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000150623091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 734700x8000000000000000150623087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 734700x8000000000000000150623083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.366{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DD,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000150623082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-DC57-61EA-584E-00000000CF01}10405080C:\Windows\system32\csrss.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.413{3BF36828-DC58-61EA-5F4E-00000000CF01}27723164C:\Windows\System32\RuntimeBroker.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+1664ae|C:\Windows\System32\windows.storage.dll+1661a2|C:\Windows\System32\SHELL32.dll+90ee1|C:\Windows\System32\SHELL32.dll+8fd46|C:\Windows\System32\SHELL32.dll+d0c66|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+d0c66|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+1721db 154100x8000000000000000150623076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.415{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-DC57-61EA-2C91-EE0200000000}0x2ee912c3HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding 734700x8000000000000000150623075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.366{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\acppage.dll10.0.14393.4169 (rs1_release.210107-1130)Compatibility Tab Shell Extension LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationacppage.dllMD5=A160D66CED8CFE5D47AA93EB23042BBD,SHA256=172A7CA4C3A65A7DE15797219B6CB29F867074C2E62874EFDFBE1F52970EA8E9,IMPHASH=FC3DD41461C2A75DF5F9BB15953B5B4FtrueMicrosoft WindowsValid 734700x8000000000000000150623074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.366{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\synceng.dll10.0.14393.0 (rs1_release.160715-1616)Windows Briefcase EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCENG.DLLMD5=A683B60F1A5FAC27D1173F937403ED1B,SHA256=57450827A7F7D880F236F27A1D92654A3284842226539A26F311CFA736083571,IMPHASH=0A2DBAAA924DBD2D0A4335D1E0E9A7C9trueMicrosoft WindowsValid 734700x8000000000000000150623073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.366{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\syncui.dll10.0.14393.2608 (rs1_release.181024-1742)Windows BriefcaseMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCUI.DLLMD5=D3CD7E690590A1AD564C832DFE1A1922,SHA256=F3CB2B362A0970B106D8B5F27F80D019931090D3ED579C72182163502BA212B7,IMPHASH=39745F2E08404A86C1D135E2AB69B2B1trueMicrosoft WindowsValid 734700x8000000000000000150623072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.366{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=E996A5D4EA7754FF1B0411F0B1664603,SHA256=B2DA0AC549C551A2CAF0714EF3B344C33943292FB1FA9F2EEFA706B6FF18F1A2,IMPHASH=AC4154F2DB854AC5F42815BCE5C34155trueMicrosoft WindowsValid 734700x8000000000000000150623071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.351{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\cscui.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Client Side Caching UIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscui.dllMD5=1AFE7E2522633DF86B3160B378F1ABB9,SHA256=A1BFE3136924F3E5276F5C555F51770D9C50A321572DA4F677F2C0D8D5132A76,IMPHASH=7C4C5D26A164B555C68D5F02A417A150trueMicrosoft WindowsValid 734700x8000000000000000150623070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.335{3BF36828-DC58-61EA-5F4E-00000000CF01}2772C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twext.dll10.0.14393.4283 (rs1_release.210303-1802)Previous Versions property pageMicrosoft® Windows® Operating SystemMicrosoft Corporationtwext.dllMD5=52DA27C0F880437C2E6DA97516D68EDD,SHA256=D90E5DE35E53C01F57BD201D483A6E03C77F76C7BC497C83F85003F937779425,IMPHASH=29C3BF5A3E76E3AC1BA5E32244E9991FtrueMicrosoft WindowsValid 10341000x8000000000000000150623069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.335{3BF36828-0669-61F8-11DA-01000000CF01}60685652C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000150623068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.335{3BF36828-0669-61F8-11DA-01000000CF01}60685652C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000150623067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.320{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.320{3BF36828-0669-61F8-11DA-01000000CF01}60681928C:\Windows\explorer.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.320{3BF36828-0669-61F8-11DA-01000000CF01}60681928C:\Windows\explorer.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.320{3BF36828-0669-61F8-11DA-01000000CF01}60682156C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.320{3BF36828-0669-61F8-11DA-01000000CF01}60682156C:\Windows\explorer.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.320{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.304{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.304{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.304{3BF36828-DC58-61EA-5F4E-00000000CF01}27723160C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36f20|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f80|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22534|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2285|C:\Windows\System32\SharedStartModel.dll+b2801|C:\Windows\system32\windows.cortana.Desktop.dll+a80e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f 10341000x8000000000000000150623058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.304{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.304{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2B00-00000000CF01}3000C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.304{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150623055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.304{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150623054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.304{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150623053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.304{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150623052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.304{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000150623051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.304{3BF36828-DC58-61EA-5F4E-00000000CF01}27723456C:\Windows\System32\RuntimeBroker.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000150623050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.022{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B730E874421451668D81E44687727B85,SHA256=7B417205BDD323AC6DE5C4535813F410A30F0326D8543858A6C0AA09236FD44D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:53.445{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94159B4402C4E23E8B12573DEE845A1C,SHA256=2ED8E1C7E522E3C70D05C8C957C6CC60BA3A2840ECC543ACC38BFCB6F0C22217,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:35.882{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52447-false10.0.1.12-8000- 23542300x8000000000000000150623145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:53.226{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8964D10C90D20050311523CDC0962ECF,SHA256=66682C5D48D6C84140A1F3344EAF0D4A26A8D259D90FB87B2D1F18A465261091,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:53.147{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB039BA2C8FF896E99F867385567781,SHA256=97FF93B8CB9D4B8764742E812486FC80A195B5E769633E29147596E9BC209AFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:54.555{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEAEB09C6618D48DD04094C80BA9D11,SHA256=1E0985AB2F11997EF793845F6D16231C35534DA359F7F38192AECA8F3EAEDCE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:54.194{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EC863606C118707194FEF2EAD782EB,SHA256=090EE1960513AAE28E2C50E498DF373493D3F917E6756C5788B524D1ABF658C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:46.804{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52591-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:55.586{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDD738415CFFFA0C432447AC9D37C22,SHA256=988B94C8417A2CD5D85F13DC349307E6828B81B3FE02ADAAD2E0365F7BB81B8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:55.476{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:55.476{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:55.476{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:55.476{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000150623148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:55.210{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF12215322F92EFE015DDB3984A8AA8,SHA256=C621B40D352C3406BFB810B5B20830C4AEB6FABCD8212D08E87EF5113AB74123,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:55.070{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=99C54328C1E8A8CA19C9F9D262A02584,SHA256=08F80F38F325CA1E59850679E3976EDCE90F78EFFBA256BCA902472961DE6633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:56.602{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5118F4B5D25C2B49870317468D87F3E1,SHA256=98DB41DD30BE448AD4375175CF80B2CD7AC629F3CA1C65DFDF42B5BF9D1271D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:56.257{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9D24B5CDB13CB54FE295F7D3B22D885,SHA256=DB808CA4CEBBCD66CCEB2B20EB186BCF883963F26D7C9A0F85B9FD68408BAA29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:56.241{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D47F1365F6A09AEB6512C8C1260F4EE,SHA256=E95385D31E60677972841E5BD5494A7027AACFF7D2656EFE647778A51390230F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:57.633{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39843799864D11D4088721899DBC472,SHA256=E8B2D9BC78E76F5E13D980AFF8F68CCD8826046D22696494CEEE1CA6B4C00477,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:57.679{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:57.679{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:57.679{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:57.679{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:57.679{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:57.679{3BF36828-DC58-61EA-604E-00000000CF01}38724180C:\Windows\system32\sihost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:57.632{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:57.632{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-12DA-01000000CF01}6088C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000150623156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:57.632{3BF36828-4B39-61E8-0C00-00000000CF01}8405804C:\Windows\system32\svchost.exe{3BF36828-066A-61F8-13DA-01000000CF01}3168C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000150623155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:57.257{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F69DD10F8321128A23C76E575299AB4,SHA256=FE7A76B52EB2D3959333C1DA30C81C740127E4ACCA2DF1A0C8DE97715E4A7CA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:58.852{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1F6DED4D0C5A3D9922125EFB233A91,SHA256=8B4A7C3234C7FCE68837D3DD6E6082FF6EB52E04E68F4B43CFEF9B012E10ED2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:58.288{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AF2062D682ECD431E373C00636C4FE,SHA256=6BECEEB47ED758205994EF6F7EEAAB05979A5A63ADB9A193D72BC4107920F986,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:59.335{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E377DC372448E5FBE0CA4DC8591C18D,SHA256=2DAB3D4E68079028AE3FB0AF76369F2056F0F9558409DE210A97EA809CAB57A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:51.887{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52592-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150623166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:59.179{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6347091299B37DE9FB6B335BE7159D7B,SHA256=09FE9C005E0DC4B4BAF3EA1A0A17B329F19E49A85965614C6D3748543341888A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:00.351{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05E6CD8DC94292ED689AC29AD0E3313,SHA256=69B3D46692407A0731D40A61460CB207CE304ED544FB502FE45E8640423D0FF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:00.039{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E491D22C033203AF72A70181FA8DED,SHA256=89854C42FCA3846BA7A43C5BFA2160D8D70E6DCACFAE1A1E385A61857AF45345,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:41.819{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52448-false10.0.1.12-8000- 23542300x8000000000000000150623171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:01.507{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD28629DD016280D5A12B34F9CDFDBBC,SHA256=7A1B481B5F7A6274187C0BA1480C72F93E1BCA81CFF74EF76C4D2A574D6FBE39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:01.351{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EA04442D3D9D8FE5FD6A5830F72D10,SHA256=2C84DD3AF3F72EA1AC6B8486FA03FBC01459175DE68B792B65A43E72F68DB2D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:01.055{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22482F06F2DD19D515E8159257EEE3EA,SHA256=C80F4AE14D5CC1AA34854813CE99087D319EB63BFBBBB60FFCB0A25B57BC65F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:02.382{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5BB844D3D4AEFBEF4CEDFDAA3E83CD,SHA256=DEDEC4F6D1FD97E31C03666610B6E3EC5316422B9610E476169B93355F79D006,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:02.086{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4493DC170C8550E822BBF0FB5D6EFBD,SHA256=6C06B94F21888B3ED6A3E75E1D0E836F71A79260EFEF2B620AC24EE6607D0267,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.929{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150623220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.929{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150623219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.929{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150623218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.929{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150623217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.929{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150623216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.929{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150623215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.913{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150623214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.913{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150623213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.913{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150623212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.913{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.913{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.913{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.913{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.913{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150623207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.913{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150623206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.913{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.913{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150623202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150623201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150623200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150623199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150623198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150623197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150623196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150623194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150623193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150623190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150623188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150623187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150623186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150623185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150623180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150623174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.883{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150623173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.429{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC20E143B9B45414378212C9346BE39,SHA256=CAEF9A206D07AE040D8DE156316BCC957775F1440FB5671FC14AA3F27A71E689,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:03.320{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D8094C86B2D9D25DA84BEDF34B63E0,SHA256=47E0ACA3AE2804CC4FEFD78DF056AF22089BD09D565AEE6FD7B558281EB6982D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.944{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9100F894C55DB8F49FFDBFFD4A48E894,SHA256=3C312EF29B86B4FAED6860E8C1A58DC39C447C04C83538933A9ACEEAA46D8D8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.757{3BF36828-9F54-61F9-320A-02000000CF01}46601156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.757{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150623274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.757{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150623273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.741{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F9ADCCD24462BB54A4B26488EC8BAB,SHA256=2DC9009F3390B677B9389147DFFE66CAFDF908849BE79ADBD6FD042ACDED37FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.616{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150623271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.616{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150623270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.616{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150623269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.616{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150623268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.616{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150623267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.616{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150623266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.616{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150623265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.616{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150623264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.616{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150623263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.601{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150623262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.601{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150623261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.601{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150623260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.601{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150623259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150623258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150623257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150623256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150623255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150623254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150623253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150623252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150623251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150623250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150623248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150623240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150623236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150623231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.585{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150623225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.570{3BF36828-9F54-61F9-320A-02000000CF01}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:04.336{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A287F0DFF8252E4E0151D947068C77D3,SHA256=384D9BD2A4E4DEDDE1EFA2E4CE1E631B57BEDED39A275953544EC7AD454E4EE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.085{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150623223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.085{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150623222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:04.085{3BF36828-9F53-61F9-310A-02000000CF01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071066297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:05.508{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C5CDF089D07AF9F4A167FB296DD461,SHA256=C2153A701983306D407522C33D76C6F3CC73764D1E6E710B9378E751AEF731B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 20:59:57.851{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52593-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:06.572{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38C33BB8AE077C16772DE12A415F762,SHA256=3B522830010676B962EF35A60078BDB91F59D221C0546368D84D4A0B47B3D0E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:47.709{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52449-false10.0.1.12-8000- 23542300x8000000000000000150623278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:06.101{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A4F7ECC298CB3A6CBCB307AF6CFF72,SHA256=86A2027E5D59B380BCE15704E55056A2A85B551B86C165758979D1E408327381,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:07.585{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E51E12D687F6871F10E1D57AD627811,SHA256=40AF98E95B4ADFFCF73A892A35DBCECB5E7B2456B3CDF9A42CBF08F6868DCE4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:07.116{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02C3A6236286772FB975F4E810BB9EB,SHA256=001DC9CA38228B61023CC6D660FC65ED085FBE0CE34BD3880624938C3ADF2AD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:08.588{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846AA47C929A79EACB0B4D0193592EA7,SHA256=BDCEB44CC5AD9A096D0CB8028CD3CDDA344DC8F59274DD10D51C592DD9172673,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.585{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.585{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150623303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.585{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.585{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.585{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000150623300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.569{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150623299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.569{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.569{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x8000000000000000150623297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.569{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150623296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.569{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.569{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.569{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.569{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.569{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.569{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.569{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.554{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.554{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.554{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.554{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe10.0.14393.4104 (rs1_release.201202-1742)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerMgrMD5=CDACB50345D70AB9D6AAA8C00C1D08CA,SHA256=95F57395CE1C04DAB609571CE86E48D1DBFA81CAFCD9D724EAA9AC6DF2ECF4DC,IMPHASH=6DC2C72968365A54FACC1F52003C32E9trueMicrosoft WindowsValid 10341000x8000000000000000150623285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.554{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.554{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-9F58-61F9-330A-02000000CF01}4392C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.538{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.538{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150623281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.132{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FAE8BEE73A2EF012223F5FED89EB5B,SHA256=39D8BC8CC28AE6EC64452A42C67CB7DDE35B0D6445638E039DB4D65667D53308,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:09.604{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8963864A723BCEBFCCE3B41717AD4D57,SHA256=DEDF2B8171D17076C0A00A62664965AC0232048C5E2625E128D0635C965DE438,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.961{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150623358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.961{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150623357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.961{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150623356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.961{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150623355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.961{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150623354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.961{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150623353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.961{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150623352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150623351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150623350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150623349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150623346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150623344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150623342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150623341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150623340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150623339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150623337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150623335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150623334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150623332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150623331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150623329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150623328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150623327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150623326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150623324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150623323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150623322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150623319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.944{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.929{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.929{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.929{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.929{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150623314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.929{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.929{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.929{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.929{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.929{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.929{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150623308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.914{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150623307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.601{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABA02A3266549E05235C999620A9DB41,SHA256=6C44C2F8A7F05B081C0ADC7BAF56131E59DB00C0BAA7CC78356C423ED5A37EEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:09.147{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306E7F9DCC17A62796FE6FD19337DF81,SHA256=E692E67A1B5A9A2626AD6321D98F2130B90B794BB9431115E192F138484EFD13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.854{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F5A-61F9-CB09-02000000CE01}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.854{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.854{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.854{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.854{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.854{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9F5A-61F9-CB09-02000000CE01}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.854{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F5A-61F9-CB09-02000000CE01}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.839{B81B27B7-9F5A-61F9-CB09-02000000CE01}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.604{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357FEF21E69E8DE27BDD369BBAC3F768,SHA256=F5D0DA8362FBC387D3D09D3B497A560BC3D8DC0ECF879F675321B8EE7A33B912,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.960{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AA9FB9B497D50F5BD6FF3A8129FDABD,SHA256=4E0D25E829EC624791316B002E5041D4FAA65CF81F0F166784B0335D93005EFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.788{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150623414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.788{3BF36828-9F5A-61F9-350A-02000000CF01}21205680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.788{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150623412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.788{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150623411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.632{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150623410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.632{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150623409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.632{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150623408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.632{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150623407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.632{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150623406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.632{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150623405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.632{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150623404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.632{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150623403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150623402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150623397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150623396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150623392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150623391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150623390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150623389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150623387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150623386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150623385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150623383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150623382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150623380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150623378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150623377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150623376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150623375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150623370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.616{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150623364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.601{3BF36828-9F5A-61F9-350A-02000000CF01}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150623363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.241{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4764DFC8718277B5245732D110EB71,SHA256=9BBC5836941AC6A1BAF301C7C9304C18C2BFAB3DCCA455D2334CCD39927C0870,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.182{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F5A-61F9-CA09-02000000CE01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.166{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.166{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.166{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.166{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.166{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9F5A-61F9-CA09-02000000CE01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.166{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F5A-61F9-CA09-02000000CE01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:10.136{B81B27B7-9F5A-61F9-CA09-02000000CE01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000150623362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.116{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150623361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.116{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150623360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:10.116{3BF36828-9F59-61F9-340A-02000000CF01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071066331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:11.651{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1677F3D45D05CACE9F3456797F1D4D3A,SHA256=55B05ED33AE83833D69C9D604AB42B3762D5115713CDDA476E2A46653A3FCB8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150623486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150623485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150623483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150623482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150623481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150623476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150623470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.976{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000150623469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:52.803{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52450-false10.0.1.12-8000- 734700x8000000000000000150623468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.460{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150623467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.460{3BF36828-9F5B-61F9-360A-02000000CF01}56084816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.460{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150623465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.460{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150623464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.382{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B076D03D4D847BA08AA30DC58FA6A019,SHA256=C3C642FD310AD0BD833B2BEB05FE71AF485FBA17C9A33BC78D13065B37138048,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.320{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150623462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.320{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150623461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.320{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150623460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.320{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150623459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.320{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150623458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150623457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150623456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150623455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150623454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150623448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150623447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150623445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150623443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150623442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150623441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150623440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150623438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150623437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150623436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150623434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150623431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150623430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150623429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150623428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150623423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.304{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150623417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.289{3BF36828-9F5B-61F9-360A-02000000CF01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071066330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:11.557{B81B27B7-9F5B-61F9-CC09-02000000CE01}34842504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000071066329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:03.791{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52594-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000071066328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:11.369{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F5B-61F9-CC09-02000000CE01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:11.369{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:11.369{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:11.369{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:11.369{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:11.369{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9F5B-61F9-CC09-02000000CE01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:11.369{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F5B-61F9-CC09-02000000CE01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:11.355{B81B27B7-9F5B-61F9-CC09-02000000CE01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:11.307{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3E5A2C4BD7C525896B4021AA6C12A31,SHA256=94D0774FF89694BC03C09C70C66B6A465985EDBB84172569DD5050CCA78990F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:11.307{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8494B9624D41B445F5324BECBCA88FB8,SHA256=E610A077AB0A2DFBA407FAA686FCFD98FF2912212F6179C7215848F7F8125203,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.554{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B095F0BC301102654C0A3E839F639C5,SHA256=DDBF4803FDA5B0C2C1AA6E3B74318A9E964B8EEF758E22E42BCA19F32A58B7CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.522{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68320F125DC7EA037171FDDDE54FBEA,SHA256=2ADFD1605C545A56A0BAF9E5EFA823DEE6704960C559D45923D1D0AC24F65DED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.522{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E7A72DE24A5565F0844D690154AD02F,SHA256=79A7C2536D252255FD51EEC16FD5C3EFD67F1AF0499D682BC72DB467AB99EFC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:12.885{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A22573726F26ED775BFBC1C8182B549,SHA256=B533FE91EA05710040A74790329FDB5C8F034E2C4B5E9F2EF42EEA203415DD34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:12.354{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3E5A2C4BD7C525896B4021AA6C12A31,SHA256=94D0774FF89694BC03C09C70C66B6A465985EDBB84172569DD5050CCA78990F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.116{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150623519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.116{3BF36828-9F5B-61F9-370A-02000000CF01}58285612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.116{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150623517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.116{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150623516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.007{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150623515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.007{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150623514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.007{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150623513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.007{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150623512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.007{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150623511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:12.007{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150623510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150623509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150623508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150623507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150623501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150623499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150623498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150623497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150623495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150623494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150623493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150623492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150623490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150623489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:11.991{3BF36828-9F5B-61F9-370A-02000000CF01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 23542300x8000000000000000150623524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:13.757{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB72605B52E548C50CF98B9FA9846827,SHA256=F094B6E10AFA2DEE25F85245A92C267FE8D1EFB5B1E03FE8B76AECB4BC912FAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:14.788{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F934C4425A3525649E05B3F84C6B56F,SHA256=FF9B390075170AB09AFCCF2E7E7340300555AD33AF635B0BD563C35D5BEFEFF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:14.057{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C51120A9B627CD71A7813C83367C90,SHA256=17D0001BFBCA949029637924EB79F9689FAE85E6276D6643EDFF4A46A7577692,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:15.819{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7575392A2FD8AC5B883A2670D59AC8DD,SHA256=CDBD2D6BDEE76303D436BDDB92C6FEC2CC6DE1EF58CE99FF3E64D86BFA0CC1F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:15.291{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A21883E758B6FCA41EB289A8638AE88,SHA256=A7B1DA090C117517CB57CA4552E77C3B6709A43C51944F672E628C6CE540A830,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:16.851{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B4BEF563BF9B4F8082C432A25562B8,SHA256=BE903C6EB9BC5A3632DFFB88B9831010E778F32CEA0AED6DFD0F7CDF18311DFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:08.900{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52595-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:16.354{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CC1DB1710CAC34299D10793E747670,SHA256=D9C32F20033FC72E65828DDB38C75BD22D066206F0AD741C51EE71FB56D2B8EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:16.116{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ACDCD1BCED7DA9249963529DF0A56A3,SHA256=A1AB4CB1282D3E1CDEC9DB9BC9BB284EF72FBADA68B173F7CE7CA5C6BAF54ED5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 20:59:58.772{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52451-false10.0.1.12-8000- 23542300x8000000000000000150623529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:17.866{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20AAC564EB50295A64C721E000A257CC,SHA256=78070D2021264ED91F7E55117A0307AFD37BB4BC2263A10C0D3F476F26B57B4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:17.572{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0200DE70CF8909A881E48E22B089D9,SHA256=498BB11887C92142D3992E036B4828F1B4FE7F089A0257F5F00FC5AF2C8D6BC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:18.882{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDFA181C3DFB0A1108E98305902A174,SHA256=ADF87512E9E2DAA900F3A24A89BCDE0CD680C74614AFAE8957FC50D42FBFADE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:18.697{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CD8DF317CABC1EA798294B846737A3,SHA256=27E7262C80C53E7080DF1C3DBF4D4E271D3966E1011BD2F77B8506A48E4334CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:19.713{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A075EC910CB4693B16956F981D13EE5A,SHA256=C618D5C0E2BE68C6E0E68F8FD95858591C888045689D557C6EBC749133878732,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.648{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C44793063CB3C69FDC6FF7877E525C94,SHA256=B027F830F1C37D872F817AAFDA69AA3084C15B5B27A1CF67CB94D462C2291534,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.554{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150623581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.554{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150623580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.554{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150623579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.366{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150623578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.366{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150623577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.366{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150623576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.366{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150623575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.366{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150623574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.366{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150623573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.366{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150623572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150623571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150623570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150623569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150623568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150623567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150623565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150623563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150623561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150623560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150623559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150623557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150623555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150623554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150623553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150623552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150623551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150623547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150623543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150623538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-4B36-61E8-0500-00000000CF01}4164876C:\Windows\system32\csrss.exe{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.351{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150623532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.336{3BF36828-9F63-61F9-380A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:20.729{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708E5AB3F956E23BB712486B2CE991DE,SHA256=9510A030471EFFE4C1D2157B14608798126DB642DF3561EA641529779AE3AB1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:20.351{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16C85BD6ADA69308951CA977D6F08524,SHA256=3E85D5616A0BA3D172FC2ADB6B1480B2FD7FE72BF38BDDAD3D8450D229F5E838,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:20.241{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49CFFA2BB107378A6B9B3F78538F194,SHA256=C958EC524EB594643E2B97163F9DCBA393E4ADEEA5188D35399E322DB36AFAB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:21.994{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:21.994{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:21.994{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:21.994{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:21.994{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-9F65-61F9-CD09-02000000CE01}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:21.994{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F65-61F9-CD09-02000000CE01}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:21.979{B81B27B7-9F65-61F9-CD09-02000000CE01}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000071066343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:13.931{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52596-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:21.729{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377898ADA44ED2169928865363BC1848,SHA256=5B54DEC56E3BB4F5A8FBD91969FED61907326F137BEB35CE72C7DC7B3D140E7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:21.272{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA8E764386CBDF68BC81715E8F68BA9,SHA256=72B8C8058AC192FE0DFB830D876256331D18CB679FF90C79F6F0DCBBD87FCB44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.994{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B63DDB7ED8C64DC2F1EA4B0FEA789CF9,SHA256=737B89C5253151B9E17BC7729116AB8F74693A381995D9CEB07209E9BF4F5AFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.994{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33A6FB6D612FD5D36EAF87C647D09DA3,SHA256=385CE7E30192F9EEC57DF3C52604C1416F98A84F093D7FFAD04E9F037189E190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.854{B81B27B7-9F66-61F9-CE09-02000000CE01}7562860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071066364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.729{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630CAEA1831C0A9A4CC4E504BCAED3AA,SHA256=0373F16A494908A954346984CB376D2457D3218781471A5D63EE2A8B73B5A638,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:22.288{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06F06F7AC667CD396E65D39619B3768,SHA256=3136C80982265ED9E90EDA30745252651B14C675D87A9C202BE9DDB371E2E0AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.682{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F66-61F9-CE09-02000000CE01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.682{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.682{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.682{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9F66-61F9-CE09-02000000CE01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.682{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.682{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.682{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F66-61F9-CE09-02000000CE01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.667{B81B27B7-9F66-61F9-CE09-02000000CE01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071066355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.666{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1500-00000000CE01}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.666{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1500-00000000CE01}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.666{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1500-00000000CE01}1156C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:22.200{B81B27B7-9F65-61F9-CD09-02000000CE01}42764840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:21.994{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F65-61F9-CD09-02000000CE01}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000150623587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:03.897{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52452-false10.0.1.12-8000- 23542300x800000000000000071066377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:23.744{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AB26EEA0775509A406017396A57118,SHA256=BC2B2192C49F6A09363F1AA181D31595EFB791E7305F97B416D74D9DAFF45375,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:23.319{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8C7926D20D14292DA61BDC87B794E2,SHA256=907AF474D22ABCFE13BB7449F8EBEB2E5DA780249FFF046182BA9F2B9D3FD398,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:23.619{B81B27B7-9F67-61F9-CF09-02000000CE01}25724124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:23.369{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F67-61F9-CF09-02000000CE01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:23.369{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:23.369{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:23.369{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:23.369{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:23.369{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-9F67-61F9-CF09-02000000CE01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:23.369{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F67-61F9-CF09-02000000CE01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:23.354{B81B27B7-9F67-61F9-CF09-02000000CE01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:24.744{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B589327B9E95C2DF7CFDF48ED536856,SHA256=B1F42EFADF5D962F367EE9484C3CEBA597128CB72537B35DAB0665A978EEE843,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:24.351{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BB670E9BA561ED48651310A6F56596,SHA256=A751908698C13F93CD423ADC85D8BA44F4E881B549FC9677AB74BD3D7C656BAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:24.354{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B63DDB7ED8C64DC2F1EA4B0FEA789CF9,SHA256=737B89C5253151B9E17BC7729116AB8F74693A381995D9CEB07209E9BF4F5AFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:24.057{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F68-61F9-D009-02000000CE01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:24.057{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:24.057{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:24.057{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:24.057{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:24.057{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-9F68-61F9-D009-02000000CE01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:24.057{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F68-61F9-D009-02000000CE01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:24.042{B81B27B7-9F68-61F9-D009-02000000CE01}4156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000071066389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:18.947{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52597-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:25.760{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F82A8DFC33678405665C902D9B5D52F,SHA256=7F6F734F69E3071C1B5BA734CB600D11F0E37A9708CD153268D8EB48BF29E42A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:25.398{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551A8CAA463AC759C47EF30402A569EF,SHA256=FFBA01C7E755DD284B692C219A558879E570D983D16B23B1F6EF911FAB947670,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:26.760{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CDA1E85D8AE95D29A9EFFD947BBFD8,SHA256=7035CEF9C9E8C61B97BCD16545E14624DD42F7D2FCB93BF005B9A3DD49CD9F9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:26.429{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667EADA29B219F3EADCF94A5AEA1B128,SHA256=79745AE042DA7824BED9973D58041FE138041DF2D53E5A1B6B205825FC5F7B34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:26.382{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE7373CA99C78B4C7208E7693CE32E74,SHA256=3CE7E63799CE0415FE89CA8F501F8308C2B7993C0FF4865CFBC18D313CF4F0B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:26.382{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD02D0741E46BF8708B54CF5F6F6AF10,SHA256=338AD2CAA375582955D28B4282B4DF01952E26C720CF3D3EA996B847B99385A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:27.776{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2677100457D0583A43456F4C6DC4D131,SHA256=EDAC4B2DECDBE62E2E466B7FF5B645B55E537DA03EF450B062F61D6C29B4E04D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:27.460{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82CC1153F58DBB84FF069719295A248,SHA256=2348D9C918C480FFF789891BB6568F7F206DA8A861D4B4C8C130FFB8D5999C66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:08.928{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52453-false10.0.1.12-8000- 23542300x800000000000000071066392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:28.776{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E179C3221939490800F2BA0119C50CD,SHA256=06BBF1D782235D5F322BF8DA8BB9769D3C7A4F312580B92329674A2E0FAA984C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:28.477{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2F580EA49622BFD3813B5BFCDA7A01,SHA256=1F9C10195C843A566106657B11D300CF64833DC9109FF734EFAD3371E7DC565F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:29.791{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9039F8590E89BF8304FC336EDB06DC85,SHA256=99BA15AA201FBB46FAC13936CC6C406A915923065D3DF35E9919AB8632C7C2A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.616{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0115DCFFB3C02D4F089AF44A93D0A12,SHA256=E8784C1B6820F0EEC4C6DD21DEC4EDC12B7E5D8F61F80E59C4951B57FDA1D323,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.366{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150623646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.366{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150623645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.366{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150623644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.366{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150623643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.366{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150623642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.366{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 10341000x8000000000000000150623641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.366{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.366{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.366{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.366{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.366{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150623636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.351{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.351{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150623634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.351{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150623633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.335{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll4.8.4311.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=6CBC81BAC24DB72678EDD32BC2F6777E,SHA256=1EB3B3F40CC5DA4214FED6361009A818F25575CE2D22FDFD1D95D67085C37F4C,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000150623632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.335{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4350.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=C018D3F757D7E3057B71D38FCB390D1A,SHA256=BF63BB7CA92F9EE37F7447FDDC1097AF68EFBEC460701C505AC17165CE095317,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 734700x8000000000000000150623631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.335{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150623630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.335{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll4.8.4350.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=83AC6604E968E03B3CA0F949A3A9D0EC,SHA256=F7B9A431E58DE2663CE1E2F9E06BC88D09FF6262F2D49CB8398604D40B073378,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x8000000000000000150623629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x8000000000000000150623628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x8000000000000000150623627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4350.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=C18829F26EA42DB768E009F898D8EF00,SHA256=4CDD240CECF8B403800DBE363E2189622BD7FC69CA1867AC5C3E61210D8E0E49,IMPHASH=2BC2B098BC197051D6B424CC7B54426FtrueMicrosoft CorporationValid 734700x8000000000000000150623626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000150623625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150623624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150623623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150623621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150623615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x8000000000000000150623614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.319{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150623610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-9F48-61F9-300A-02000000CF01}25045708C:\Windows\system32\conhost.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 734700x8000000000000000150623606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Tools\Rubeus.exe1.0.0.0RubeusRubeus-Rubeus.exeMD5=ECCFE02363BDC0068F2DAEF326EA356F,SHA256=BE95105C17452B68806C1DE4DF5725A4ADE81A0FB05AEC047AA2C30C633DD05E,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 10341000x8000000000000000150623604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-DC57-61EA-584E-00000000CF01}10405080C:\Windows\system32\csrss.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.304{3BF36828-9F48-61F9-2F0A-02000000CF01}4924836C:\Windows\system32\cmd.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150623598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:29.312{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe1.0.0.0RubeusRubeus-Rubeus.exeRubeus.exe monitor /interval:5 /targetuser:administrator /nowrapC:\Tools\ATTACKRANGE\Administrator{3BF36828-DC57-61EA-2C91-EE0200000000}0x2ee912c3HighMD5=ECCFE02363BDC0068F2DAEF326EA356F,SHA256=BE95105C17452B68806C1DE4DF5725A4ADE81A0FB05AEC047AA2C30C633DD05E,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000071066394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:30.807{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03371FE7CBA1C317C2C25A9073BF7252,SHA256=31B64FEC5090FF27240B4956A5CE00E78F7742ECA7400A825ED6986C042844EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:30.632{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FCDB718FFF794305484B77D2756589B,SHA256=4F0C7F34F6FEC9AD950EAF376F0C7AF8A9B6BDE8F19B28477521D37C355C9050,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:30.319{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE7373CA99C78B4C7208E7693CE32E74,SHA256=3CE7E63799CE0415FE89CA8F501F8308C2B7993C0FF4865CFBC18D313CF4F0B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:24.822{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52598-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:31.822{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F539FECAFF3743E66EDF6106E62280,SHA256=926505D51DFE14F0FD594257FFE7F2EE1C37BFBD633A3C58A52A503DBD48D04D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:31.647{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A571892A75D31FA511A83A2871AA7E8,SHA256=D27E5E4A74086E27538A4CF7E64CE6AE54E0315D23359B220877AEF0B15BB53B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:31.601{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:31.601{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:31.601{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:31.601{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:31.585{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:31.585{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071066397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:32.822{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95B2A6C605DE416C94336C014B0C73A,SHA256=7935F11EB7E8E78F5CDF5D1BDA2D273755B9D210E742B6FBFDBCD763451408DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:32.679{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF3D2ACC80849CD95C29D9C5F93E0D8,SHA256=DDC49C655D4491FB287E837C188EFA85A4E5AC5DD842210E38E44646CECA5AA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:13.913{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local52454-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150623659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:13.913{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local52454-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000150623658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:32.163{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48BC439A2BE54CD3E0E9B979637F8DF6,SHA256=619613F8605CB7913DB53D679B88B2E556795F1285029AC0E7EB4980015D2DCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:33.838{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6908D7A8DCB28F09C0CA558F312AD6,SHA256=39DA6BE6F7B1D5D43985C3C4EA14C40805A399B449D66B945B7C60D6291C5AF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:33.694{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E032BFAABE7ADCB54805ACE649C9AF,SHA256=C9C49C19E9E6C1F23F3D55E60D6F9D321E19A4F24BD002ECA194D720C721CF2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:14.818{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52455-false10.0.1.12-8000- 23542300x800000000000000071066399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:34.854{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3750AEFD45E14B87E7393F1268ED7D,SHA256=D61B14F32233CEFC3BFB639E13FA8D1E64CCABBF979FFEFA55C0B15E8D1FF4B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:34.772{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:34.772{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:34.772{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:34.772{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:34.772{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:34.772{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150623668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:34.726{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E01CF5B4B510E626CCE0C007D810DE1,SHA256=95C38A1F7E2CF5141FDE466F7A1E5820964150553804F6E259A4710EDDD85647,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:34.397{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:34.397{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:34.397{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150623664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:34.397{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071066400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:35.869{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA68F8DE2AFA8EA2FDD5FADCCF82CFDF,SHA256=85885CA7C10BAA25A55945CAE188209604909519485C3F2A28118C2A25AC4CC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:35.772{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10753E6DCFD48E4CEB7692B89C76460B,SHA256=6AB66BD92ADF2BD6BE5071D7E287A28E587F9F97FC2202E80CFB1FADE143AEEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:35.413{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07CAB829F9F129B67F553513F89BD4FE,SHA256=1A4BDC632F7190EDFFDA34B41C78821F91F87C1C4B834BE24D706F6167FEC77B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:36.869{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF4E692055DDB009EFD8A409ABF9D02,SHA256=5565279A3D125FA0E9BC60EC1CE8557354609CED342A5BBD60DE2B81030E6EB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:36.788{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83272965C94E66E61AD3551A98A7AD2F,SHA256=3DD5FFFCC83FA8E79319BCB76C8C6F69030BB0738D982578D96701F80A11C711,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:36.257{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:36.257{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:36.241{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:36.241{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:36.241{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:36.241{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150623685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:37.804{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7FE2DCCA975FEE9CAA3FB5FBE82B80,SHA256=8DA149C5CD69AAF1F77593DE43CE51A96B589DCC6B6612E9458A800D80E2025C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:37.885{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DC82566FF5B8D804B52E4C5745197C,SHA256=51B6B4F66FB9F546496B1F5D50968F9B4A7CDE629388588FF88D2EEE110F5170,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:29.869{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52599-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150623684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:37.194{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F489BA10CE2EC7AE1982E2AB1BD256D,SHA256=BD9FCAB8DD3CB2192137AD9D9D295D81E2465057FFD88AD68DC1BF8CB7D5159D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:38.885{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AF3AC091F05E04A0B0F1EEC37C3778,SHA256=C8E0E5D16491E7A84399C2F221CBC53840D53E3273B72975D441A57B4EC7374A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:19.850{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52456-false10.0.1.12-8000- 734700x8000000000000000150623732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.241{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000150623731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.241{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.241{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.241{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 10341000x8000000000000000150623728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.241{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\system32\runas.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.241{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\system32\runas.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.241{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150623725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.226{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000150623724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.226{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150623723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.226{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\wincredui.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Credential Manager User Internal InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwincredui.dllMD5=27B7A3DDE710FEC067E7AADBB396FDCC,SHA256=BE73F24E4E7E5002A78784D60F82840B42FB2AAD593623D00535E0403B01EAED,IMPHASH=5BF8C42D151FC064CDF2E863454964AAtrueMicrosoft WindowsValid 734700x8000000000000000150623722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.226{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150623721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.226{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150623720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.226{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150623719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.226{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000150623718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.210{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000150623717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150623716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150623715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150623714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150623713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150623712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150623708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150623707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x8000000000000000150623706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\credui.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Credential Manager User InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationcredui.dllMD5=F3EA67955C81EDC0351A4E7418EEEAF4,SHA256=1DC9FF6C665A376789094BF59DCF125A7BE0280D798C74C0853AD1D808104F5D,IMPHASH=4559CD65117B2CEA951EAA739A2320C9trueMicrosoft WindowsValid 734700x8000000000000000150623702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150623701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150623697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-96A8-61F9-2409-02000000CF01}50883644C:\Windows\system32\conhost.exe{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\system32\runas.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\runas.exe10.0.14393.0 (rs1_release.160715-1616)Run As UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationRUNAS.EXEMD5=04A3526D77C0C4622517F6E848A3D1E2,SHA256=06DD3C38BF47D2FAAEDDEBC27C3A1EB1D329F0E8664E0D0308B06F6214DDCA96,IMPHASH=89758AD95FE7510ED40C5D4DD1BFE503trueMicrosoft WindowsValid 10341000x8000000000000000150623692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-DC57-61EA-584E-00000000CF01}10401044C:\Windows\system32\csrss.exe{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\system32\runas.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.194{3BF36828-96A8-61F9-2309-02000000CF01}60483960C:\Windows\system32\cmd.exe{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\system32\runas.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150623686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:38.195{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exe10.0.14393.0 (rs1_release.160715-1616)Run As UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationRUNAS.EXERunas /user:attackrange\administrator cmd.exeC:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-DC57-61EA-2C91-EE0200000000}0x2ee912c3HighMD5=04A3526D77C0C4622517F6E848A3D1E2,SHA256=06DD3C38BF47D2FAAEDDEBC27C3A1EB1D329F0E8664E0D0308B06F6214DDCA96,IMPHASH=89758AD95FE7510ED40C5D4DD1BFE503{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000071066429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.901{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E548A94848654A468A09210FFB1453D,SHA256=73B52E59F6D90C07B0FF37B7FD9E080C7AD816DDBFE54E8B9E299F11F8BD7DE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.866{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792546FE85841C8F13A5EABF51E2897D,SHA256=EB2829C075AB802B5E53AB40BF8B0072878A3C5B3A119507044022624C325DD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.726{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\System32\cmd.exeC:\Windows\System32\winbrand.dll10.0.14393.2515 (rs1_release_1.180830-1044)Windows Branding ResourcesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinbrand.dllMD5=CDA73668510FF0BA02967236A857CE7B,SHA256=24ADC4950116C2E3994450465B305D469B78F687EAADCBC167A8C4ECD4907306,IMPHASH=2C424150D7AE913E28B879B06042C9F2trueMicrosoft WindowsValid 734700x8000000000000000150623838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.726{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000150623837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.711{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.711{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.711{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.711{3BF36828-DC58-61EA-634E-00000000CF01}45404808C:\Windows\system32\taskhostw.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.711{3BF36828-DC58-61EA-634E-00000000CF01}45404808C:\Windows\system32\taskhostw.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.711{3BF36828-0669-61F8-11DA-01000000CF01}60684548C:\Windows\explorer.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.711{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 10341000x8000000000000000150623830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.711{3BF36828-0669-61F8-11DA-01000000CF01}60684548C:\Windows\explorer.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.711{3BF36828-0669-61F8-11DA-01000000CF01}60684548C:\Windows\explorer.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.711{3BF36828-0669-61F8-11DA-01000000CF01}60684548C:\Windows\explorer.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.694{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.694{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.694{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.694{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.694{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000150623822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.694{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 10341000x8000000000000000150623821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.694{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.694{3BF36828-4B3A-61E8-1600-00000000CF01}13001356C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.694{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000150623818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.694{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150623817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150623816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000150623815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150623814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000150623813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000150623812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000150623811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 10341000x8000000000000000150623810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}60845976C:\Windows\system32\conhost.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000150623808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000150623806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000150623803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150623801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.4402 (rs1_release.210426-1725)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=EBEFEF1FE2B0D6FF2595203DADE100C9,SHA256=70F4BB4198467DA8E2FD7AF475536B3F2FD1B3E56CEE7E376D0303C149C449F9,IMPHASH=49A59B06FE5B10F21E36B588430BFDB3trueMicrosoft WindowsValid 734700x8000000000000000150623794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.679{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000150623793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-DC57-61EA-584E-00000000CF01}10404376C:\Windows\system32\csrss.exe{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000150623792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000071066428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-9AE0-61F1-2A19-01000000CE01}4904C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-9AE0-61F1-2A19-01000000CE01}4904C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-9AE0-61F1-2A19-01000000CE01}4904C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DF-61F0-78F6-00000000CE01}2836C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:39.807{B81B27B7-4B39-61E8-0D00-00000000CE01}804824C:\Windows\system32\svchost.exe{B81B27B7-73DE-61F0-77F6-00000000CE01}4476C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-9F77-61F9-3D0A-02000000CF01}6084C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x8000000000000000150623788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-DC57-61EA-584E-00000000CF01}10405080C:\Windows\system32\csrss.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000150623787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000150623783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\seclogon.dll+17dc|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150623777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.668{3BF36828-9F77-61F9-3C0A-02000000CF01}5760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exeC:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-9F77-61F9-EF15-311300000000}0x133115ef3HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeRunas /user:attackrange\administrator cmd.exe 10341000x8000000000000000150623776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.663{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\System32\svchost.exeC:\Windows\System32\tokenbinding.dll10.0.14393.2363 (rs1_release.180625-1741)Token Binding ProtocolMicrosoft® Windows® Operating SystemMicrosoft Corporationtokenbinding.dllMD5=8AD65F608FD6964085B365A43F8DBEA4,SHA256=E088353C88877763D4E5BB6EB7FB55C81908DF639A9AF89EECA546FD9EDB18DE,IMPHASH=EDBDD2E193CED10C0D380B250BFC13C5trueMicrosoft WindowsValid 734700x8000000000000000150623774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.647{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\System32\svchost.exeC:\Windows\System32\TokenBroker.dll10.0.14393.4169 (rs1_release.210107-1130)Token BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationTokenBroker.dllMD5=9ECF3BE652A6FF4B5C4744697FDDABA2,SHA256=00DF6190CBF64C8840C1B9068A844D4A6584E6D82C8C6FD78CFDB10184F815C7,IMPHASH=F91C8ACC62DFD3D725FAC2A0CBB6AA8FtrueMicrosoft WindowsValid 734700x8000000000000000150623773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.647{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000150623772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.647{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000150623771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.647{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150623770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.647{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\IDStore.dll10.0.14393.4169 (rs1_release.210107-1130)Identity StoreMicrosoft® Windows® Operating SystemMicrosoft CorporationIdStore.dllMD5=C361C32146F8C2E67168CFC076DBBF55,SHA256=D27DC85DE98B5C85AAAEEE1FC2EBE0F92B53F82F35F0AC6A49ADAE83456C0740,IMPHASH=E5FDBED6A52D2B5010634A77EC08AD4DtrueMicrosoft WindowsValid 734700x8000000000000000150623769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.647{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000150623768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.647{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.647{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.647{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.647{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.647{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150623763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.647{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000150623762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.632{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.632{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150623760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.632{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.632{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.632{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.632{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.632{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.632{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.632{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.632{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000150623752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.632{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.632{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-9F77-61F9-3B0A-02000000CF01}1320C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.616{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\System32\svchost.exeC:\Windows\System32\shacctprofile.dll10.0.14393.0 (rs1_release.160715-1616)Shell Accounts Profile ClassesMicrosoft® Windows® Operating SystemMicrosoft Corporationshacctprofile.dllMD5=5FD61CBBA92898CF722A96C6565FDCE3,SHA256=B08D8E9C47A62A748937BB6975DEEE85E5C55F634A4214F46CC5F75D41CD2211,IMPHASH=2C71174EBC4002AB876F4E6F44B03785trueMicrosoft WindowsValid 10341000x8000000000000000150623749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.601{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.585{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.585{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-4B3A-61E8-1600-00000000CF01}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.585{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\system32\runas.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.585{3BF36828-4B3A-61E8-1600-00000000CF01}13002144C:\Windows\system32\svchost.exe{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\system32\runas.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.569{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150623743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.569{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150623742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.569{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150623741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.569{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150623740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.569{3BF36828-9F76-61F9-3A0A-02000000CF01}5916C:\Windows\System32\runas.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 10341000x8000000000000000150623739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.413{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.413{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.413{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150623736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.413{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150623735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.210{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3147F82FCFE80FB64F75EC94EDEF330,SHA256=C0757AD1C75ACF5CB2AA8D87C4F863DC822D0645CF5C1E3156680623324FF79F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:39.022{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEE12E8A05A6949116C7CB35056E4D2,SHA256=266346CE55DDB76525A7BEEBA4095D72206403830DD88CF603909AAB792BF41D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:40.916{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E30522F74975CBABA368FBCA4B7B22D,SHA256=4FEF49A395413F870CA0E0F64A89CD80A6BDB208D819DBC0422041CD4AC1596B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:40.710{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1546A5DE4BB4F915E5D9603D01CA4182,SHA256=0DF6BF9DBEC23DE910C39C17C2A8B85136F3B00DAD35F627BBBC0E6B52F8E571,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:40.710{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2BA6D87A2BAB4E9F1D9B92304DF68407,SHA256=292A03F3BBEAFAD5B20A674DC55F03C324FE48FA94C2478C3DDFDA0738B2C613,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:40.554{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5FAA80227D39A5C6B2862E2E6AB935E,SHA256=417A5425C0ACB0146307C54A25CA49D8EC5DD4979B323D05876188D88C8CD98A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:40.085{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A9FAEC91F86B224DD12AB15A335683,SHA256=925C94C56851C3CD4DE2AC4E1276521589D41E73597F10C48A0CDB98FF18BCB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:41.932{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913D1ECE1A1F9FBF6C1E95F3F50319FA,SHA256=27BBC074F100485DC71086E2B7DA0A81AC86C5DBBCEB74A0C5A5177AFAB67A94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:41.897{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:41.897{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-96A8-61F9-2309-02000000CF01}6048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:41.897{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:41.897{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:41.897{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:41.897{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-96A8-61F9-2409-02000000CF01}5088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150623845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:41.116{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DEFEE4545AD6F0F4944407BA462C42,SHA256=1912C35F08EA3991582D921155BD348126DC25D225D1C5598A2C85800A44710B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:42.947{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C5075524EAA33EC32279625B828000,SHA256=88E2511500EEF42E3A0FDB14ADC90CD8DCE43B851F6CA23879B9E6B8EE3F4C78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:34.947{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52600-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000150623858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:42.507{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:42.507{3BF36828-0669-61F8-11DA-01000000CF01}60681280C:\Windows\explorer.exe{3BF36828-9F48-61F9-2F0A-02000000CF01}4924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:42.507{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:42.507{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:42.507{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:42.507{3BF36828-0669-61F8-11DA-01000000CF01}60685556C:\Windows\explorer.exe{3BF36828-9F48-61F9-300A-02000000CF01}2504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150623852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:42.148{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1EC4BCF648DD958A0DE22F43BC61A17,SHA256=2EAE96A177FE696E53E516436C6E1F5C3FA639269C58ECD7D8EADEC19A21CFC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:43.963{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E9A87745CC5E2E4A0B36D6DDB09C9C,SHA256=B6B5D206558AD1AC79E9435DCE8372A1EB4F49DB00EE2663B96ED924338C5EC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:43.163{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7F99D4D26E2568CF6B5DFFEE84F167,SHA256=4E1907BCBF2D5CCB40D4FFD7B48038AD4F3891A92B51F48CB8EC74580DB53351,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:43.916{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:43.101{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B408DB7E07073B1E142C8D143744C144,SHA256=1311ABD3CC34E292A13EA108E772C89FFD2A2C95324FFBC5E082DD6718683372,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:44.963{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7729DAAAC347920AE0D7BD13E0E878A,SHA256=B042D0E6779B71A88AE8C37A10BC562ABD4DFCCFE684444841C6E559D92E4FD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:25.756{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52457-false10.0.1.12-8000- 734700x8000000000000000150623866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:44.444{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\3d5542bc1617cc46fbb5455ad9b06b67\System.Core.ni.dll4.8.4350.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=76064947B3DDD46B1AE18CDE5E5D4DC0,SHA256=444C2B365FAFC16BBDC26E8C5D2C8B4352B3F16B63E0092F6989894B536359C2,IMPHASH=00000000000000000000000000000000false-Unavailable 10341000x8000000000000000150623865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:44.429{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:44.429{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:44.429{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150623862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:44.429{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150623861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:44.194{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70106D1A90D887B3C2B4FDF9458719A7,SHA256=7D601A353A3DBAB838EC1627B991AB4D0D928E7675ED01C289171C5FE3C31B47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:45.979{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865DF6B4ED1AC1EAD7FDE9502346E013,SHA256=2F457A9A2F055E1EA513DD9C66BDE344D400E006C76089E268BCE651D5298483,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:45.493{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAE0CBDC4861D42626DF69D810F71278,SHA256=263BAAE6A247CA7C49B0C76EA9C61F693825119D52C17A363127DC7FDFEAC09B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:45.196{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA43B2D5509ADAD68976351993764B2,SHA256=1547572755D82EA598D183620F5FCC906E83314FB21A621C0D221F2E34419C0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:38.604{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52601-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000071066439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:46.994{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065CB28F5DBE7B1DC38B669563922761,SHA256=2C4A7AB428348EA65904C98D01542850F74E9BA2E9FCDDBCCD297EE7D5F48A26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:46.197{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4BAA10CD08205C03C1749910BC017BD,SHA256=5FBE9F53A146491A78F9AF7EF878DF68A1EE514AA3555A7C5D694AE46CDFA4EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:47.199{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B055F770ABD01A85FA2899FFD6C07E06,SHA256=D0466E53CAF7BF9B20B3BE3F7A7AF26ACDD1939ED230AD071668EBF870A1AFB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:40.775{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52602-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000150623874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:30.805{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52458-false10.0.1.12-8000- 23542300x8000000000000000150623873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:48.201{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61C9471CE22A42BEE507CC421E0BAD0,SHA256=21A71EF96FA6B901BDF591F98B84CDAFED6F42489D0043F9B48A4E5660FE64FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:48.010{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC68D232BF96F718A2AEF48F37CC9DED,SHA256=CFEA15F0CA97120D68F744D95E60ACEF619930AAFD645FDA2F8BDE26ED651908,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:48.154{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9828BDAFB7B09B19C4D2B256C341BAE6,SHA256=098EA0C71D88845428196E442FD62972F092963B8E3BD8EA323978188051623E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:49.498{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:49.498{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:49.498{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150623879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:49.498{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:49.420{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:49.420{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:49.420{3BF36828-4B39-61E8-0C00-00000000CF01}8404244C:\Windows\system32\svchost.exe{3BF36828-4B39-61E8-1500-00000000CF01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150623875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:49.248{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327CCD7BA7A8F0DCF2A4DCCEFBBF3B3D,SHA256=9E249F9157DF36F489D7A254D3C6D2D3DCC1C528EFB1277E1BD8845D95EE1459,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:49.026{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C4BAA0137515697F98F4C0892208CB,SHA256=24B2C0E31A3CEF184B626432AB9155BB0D2F8C35E28320993592AA254123BFED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:50.026{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EA7F08C8615183F2C820B68237EE55,SHA256=9A54AB163E1B7761E67051027C83EB74D72C6674792BDCE9B8A0559D047021C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:50.748{3BF36828-4B49-61E8-2D00-00000000CF01}3056NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:50.529{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2617C2F9E45AECAA81F33CDD5241BD44,SHA256=C775A4F43DD7B426EA317FC08293F3CCF2FDDD1486C7D862F24A677EE3462D29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:50.248{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D64806B3572E7B11D1D58A9F32D927A,SHA256=4425229BAB885ED9626A0D257CB67BEC86CC98EC93A5C4252DFDBF7B818050CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:51.733{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B351312E47B9EE281E88D908DF50E331,SHA256=DE8C9B3237C734352D2D2147F226AA9BDE248AFDCFA203C53F7DFC93853F942C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:51.279{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B786EF4BADDF4EA9A2961B855655FF,SHA256=213C8B9CADE9E5B621462F11C8A9CE4DD0EAF80E21262AA4865C7B1F53505FCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:51.041{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E75BA0E19B73CB740750207FB8503B,SHA256=D59163945DCE5BED9AA374E59957C78FB666E4A381289E9D6AE2FA527248869F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:34.403{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52459-false10.0.1.12-8089- 23542300x8000000000000000150623888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:52.295{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54444218A842512BF41FBCCE248FCB4,SHA256=10691D7822EB6CBBED85759ABC3EC3A07AFD614645934DF90C93D3983B741D7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:45.885{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52603-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:52.042{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529B9A374F4402500F0EAE5644C86449,SHA256=D59CD026F89C1ABBA12BD8B720809F3D84F4F5179A754AE916DAACD616DFB133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:35.856{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52460-false10.0.1.12-8000- 23542300x8000000000000000150623891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:53.326{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1513CE51389B2B41674DA6CE5E775589,SHA256=CEBAC8F6CB1D9395704DA4312A8B3DE2B6469C4E90371677AD5DB2535295A4CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:53.057{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A918D3E83E87ECC6CF5419363C3A1660,SHA256=56DA5336AC5BA5CCC9B922D594F5CDD72F770851A3836ABB7586D37514950616,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:53.201{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F1C34CB068C8F81ED88BCB193E0D8CB,SHA256=97F00E430907940E414100EE68259ECB609D6F6D7B4626AFB40B92037302B5B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:54.073{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C610E74C2D8C4325EE17C75E4381DF,SHA256=1A560FFFDEED4425149F7D7BF2221B47449AC94ABE97750731E88D584D4BD070,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:54.514{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:54.514{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:54.514{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150623894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:54.514{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150623893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:54.342{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08FC212A4F5B57E11E3990038D867A1,SHA256=B702CD9317930EA194AF5880D4D7007DC5904D5C8EFCCA25D9776AC9EB002560,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:55.748{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D68F8507C6365FC13D61C6DF9E6E6FF,SHA256=A96EA42F6CC0D1D09B487BB802B42CB052C01BF36E47E10D71E767A726A3856B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:55.357{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F335858A6D44446B0D9AD9DE3E32D0A2,SHA256=AFABBF165582EFD6F9624C94B2D29D699082938F40983F4B12DD7A7E8D211237,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:55.088{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907D92E3800AEFF2874E37FF33C99A05,SHA256=938C793F16A789BE1E95CF761336657A162DBC13D19A59CA971157FD5B624685,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:55.073{B81B27B7-4B3A-61E8-1000-00000000CE01}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=770FC2F0ADB96291ED75707D5399A1DE,SHA256=D8D1DE80D1EBC843D05D9A5189D4B85DC61BE278B9A70777006E694C0D5073D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:56.373{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D540DA56849EAE339AFEF1E1286BCF6,SHA256=312427AB25BB2EE2416683F3F7E381C03101050B2FDAB8381AD026AB899E805C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:56.104{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFF5393F2B1B6E3D7649542F6489CF6,SHA256=6F0E5125E9DF9C8A3B076D50B23253DCC9495FDCE8D003937B5D00DD916A5BD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:57.389{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C091D3BE48B08293E5EE0D7CA177E9EC,SHA256=F44F0C582B4135272B8D4F3AD9E70593E73D229173DD593063C79BA44298011C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:50.947{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52604-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:57.120{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DEF0C1FAC0F57877EBF9723EFD4949,SHA256=695AE6A4D351194449EAF169D03E1F71D3C69803F4654AD485B66FAA976F3CA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150623904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:40.919{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52461-false10.0.1.12-8000- 23542300x8000000000000000150623903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:58.404{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0C85F975AD8C9F7AD618DB98C0C472,SHA256=E7F3E00DDF01E9BDF3164E5042D245022CF455075248E467C51989BFCE4F8C7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:58.120{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612B69136C8BBF3802DBD8CA0E45B19E,SHA256=AB80F4AD77A95B58FA76532761F7DF91557B48E354C8CA6969C52AF8AC7A5C81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:58.279{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47A006DA0CC6BC1CE15D57168822113D,SHA256=D01A3318314CD598B060E0702BB6364E97A0B667EDA6B4E69E47BBE0DFAB7F33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:59.529{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:59.529{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:59.529{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150623906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:59.529{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150623905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:59.420{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4CDA444AF54479F44B1A2A73D09A6E,SHA256=453B7E0D7D354F7287E81C598465A63C3B9464C5BE3D54CBC621E372386EE2B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:59.135{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490A1C73D8C169DB400C0DFA9DC3BA2E,SHA256=22917D2CD78CB4D1E4DDB23AA9E9362E3318FC508689A1F7892940B96C8BFF60,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:00.545{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6332C2FB4C5D57C4B2C861114B22487E,SHA256=C5C49B34556C166F1CB431B159EC8D941C2CA34D5BEFA600DABF3E55CE398E9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:00.436{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186ABF9CFF294A91B3DC9B90A610F47F,SHA256=224DAD80A1CD24DC5D94317A12BC9BF239319FEF3AEDF0F9776FF67B387318D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:00.151{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643E7379752596BBB0028F80E58017E4,SHA256=EB0FE51FD9548444ABC31ED013D6585CBACD81D9A0C72F84F55B64FF1B162F11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:01.451{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E3324E38AA231D77CF0EE29B527019,SHA256=B60581EE0DC9A5B02D09A5772264F065B0F1D6A1179751A93111B2B218A0B08B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:01.151{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FC54E8D94CCD70E9BCB06B621CAB89,SHA256=5F380B6D7F80E9F5F511A5F31014045F4292675450D53319A09D1A2E4BFE4731,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:02.467{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C5404022FF118943B1C75AEA5AAA65,SHA256=D508AEC410DF5B55B5A873768B75A88C2448DBFE3884740C93E8455672B9CF8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:00:55.962{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52605-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:02.166{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B22D07127017EA1BD65448363E8BE0,SHA256=A9B4FA58D0F1AB89224A8416968AA4F288EFEFADF4F0909F93B8E7F55EF3BB6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.920{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150623961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.920{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150623960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.920{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150623959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.920{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150623958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.920{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150623957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.920{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150623956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.920{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150623955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.920{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150623954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150623953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150623948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150623946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150623944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150623942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150623941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150623940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150623939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150623938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150623937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150623936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150623934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150623932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000150623930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150623929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150623928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150623926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000150623921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.904{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150623915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.874{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150623914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:03.482{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805100C87049A604B5B7BD3B5B7307CA,SHA256=4B5ABBAD8CD21A11032B6B8D13A4C1C335D5E80B62FAA1CB143085D959A9C5AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:03.166{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09D27C067EB6874E9EC069B4ADD6378C,SHA256=A441D2833DA959F089D10D8B0FBCAFB62D2BD55187F42E00759A42F628F31803,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150624022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.811{3BF36828-9F90-61F9-3F0A-02000000CF01}59365084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150624021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.811{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150624020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.811{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150624019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.607{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150624018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.607{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150624017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.607{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150624016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.607{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150624015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.607{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150624014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.607{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150624013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.607{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150624012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.607{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150624011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.607{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150624010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150624009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150624008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150624007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150624006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150624005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150624004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150624003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150624002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150624001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150624000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150623999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150623998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150623997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150623996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150623995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150623994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150623993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150623992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150623991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150623990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.592{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150623989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150623988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150623987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150623986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150623985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 23542300x8000000000000000150623983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC646951C654327D073C516A42BB815,SHA256=0086B8254E6128A1ACB07BE46404D9E80AA30E16F638C3643945EB94CB28BB43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150623982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150623981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150623980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150623979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150623978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000150623977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150623972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.576{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150623971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.563{3BF36828-9F90-61F9-3F0A-02000000CF01}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000150623970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.545{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.545{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150623968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.545{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150623967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.545{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071066461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:04.182{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BC15475D3E4DFE3384621A50F812D7,SHA256=D063E93DAE31F8638DA889E1334A75A9DBB319D48152C8EBECD849A9EDCFB654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150623966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.123{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5788AD9A359AE2C165B93F1B532A0B00,SHA256=BB6B6B478F7361BDEC0CA2E46AEB5CC32F68797C964C17143E0AF3A638396FD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150623965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.107{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150623964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.107{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150623963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:04.107{3BF36828-9F8F-61F9-3E0A-02000000CF01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150624025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:05.717{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4FF31A3F39C47A248A4539350F0206,SHA256=9A3AE5FC4D8790D606FF2857F8E169AA40F3C44197C93AC4F1B191105404FA94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:05.948{B81B27B7-4B3A-61E8-1400-00000000CE01}921520C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:05.916{B81B27B7-7762-61F0-F6F6-00000000CE01}3184716C:\Windows\system32\conhost.exe{B81B27B7-9F91-61F9-D109-02000000CE01}184C:\Tools\Rubeus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:05.901{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:05.901{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:05.901{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:05.901{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:05.901{B81B27B7-73DC-61F0-67F6-00000000CE01}11044784C:\Windows\system32\csrss.exe{B81B27B7-9F91-61F9-D109-02000000CE01}184C:\Tools\Rubeus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:05.901{B81B27B7-7762-61F0-F5F6-00000000CE01}36683644C:\Windows\system32\cmd.exe{B81B27B7-9F91-61F9-D109-02000000CE01}184C:\Tools\Rubeus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:05.905{B81B27B7-9F91-61F9-D109-02000000CE01}184C:\Tools\Rubeus.exe1.0.0.0RubeusRubeus-Rubeus.exeRubeus.exe ptt /ticket:doIGGjCCBhagAwIBBaEDAgEWooIFCzCCBQdhggUDMIIE/6ADAgEFoRMbEUFUVEFDS1JBTkdFLkxPQ0FMoiYwJKADAgECoR0wGxsGa3JidGd0GxFBVFRBQ0tSQU5HRS5MT0NBTKOCBLkwggS1oAMCARKhAwIBAqKCBKcEggSjY2A2PSm36yLdOddikuqBu+g5CP/tNvHW/s4CznpY9R87Ip1ma3PLh7Q4InJhC+p/n6/oakKkZL4glQecHDGjKSvPMWyBl3/8+ijEWqXuPYX9jcipf4qF+HdEj21w2qx/785yfi53ZrJV8kBHbkKsV8ckh800piIpc7OAHA424Ew70mNtDa3ZvJfLEzSfGBu7Nio+o3t6zs60QJ5Ai7wLrgXI2yU5mSZppgVOh9ixy9jCVAtNo8Ogw1HC8/2vfLmGzLe7mtMM434bN0/Xa+M0QyA/CN1HbjmQgdFiMRhsotB3qmK8u56OiGChX/9mBqOk0pUr00dKDnB4a8CVU3Qed2+NwF2XNrkZ+qXmWnFP7gvkYAOo8Cz4Z6lpgUPI/jpjS4//sSY/l4dBvWB4+lL+Q44xyEUSFL/haAL2hcgUVqtML/IFOwK+iGFOJTaV4RMZ6O+rXqhzGwQKtlFf6cjskaE8sCvJu+bElNegMpCyENOl8BVPAmUH5lp7j4UCwm6gxFCBIdNnR4bnCyiCxREEmeG6eKpBNomVM5/0aFXSZEJz58twgQvknfXgNA+UnKYfAUGLHNY8/mVzs3Dpq/L6zBXqNf41AaOE+OT0ZpuE1RlVscnLa5dl1dJyQNld+mZy4FsBMvgmBLNS3voA99QS766+Qu2IYX5kLcTT9Dg3NBVIUo1Szh+jsMLd8amz/appKNsebCzKURRAfMSyZSrnoXoPZERCtwhPlg9aocq2ItWiOdjkqCCvPwVjcsbsyI1UPYkRBFvBZEeSe2qSTl5WBbdUjbiRp+S7KT4QCLHeUsvSV0JYce3FcjRlHOCcMsIO61+szA1DHptcXGv9XcRhLuU2wa3XWVNuWVtXMKFeOuYFgWEeIjgk/urcwhhXQXRI8dQ9ZS8QZcejJgae54x9JwGadmqSmNfl/YmV0iYDXCok3L3V8BowyDvXzfu2u2TwSWro8jFVxRz56SuPIb4XNsz9RwfRH6BR893zw5znc254eZzlw0VvXXog4uQwz1Og+F101GybjkA5Q5aXt2a2DW38ZRaKrG9AH2A21o6+uvJzx4JP8RffD89zMYk5wQSCfW5ZOUzaIvR9JGIt9923hth7lBQv75XuLvKwdXpqlDB0YCwzwUvwTBcN5jBwIxR5vr9Ri9jk19TENgyujb3B9HZicKr21lhjsfaOx1CvIMBhSqKhYjr8aq7j1hJtaGra2AxOaAfeNDg+zAMjM8lfSwXPfZ+6Rn5ausCykW5HQtEZkMooeZam7RbLeBikoXVIa0QY79BP8xRHF9n5yePXx7y42P3yJb88VzPegsg2brKFwU+F4hkgiQZIXD5H0VjoDCanqcT2K2G/GdWP02VojHxoUj8nLpx/ATj0p6rDWv1QLL4hK+CywcJC6HB5rStSGdouFADpiCz7k89N93alzdIiHpbaCblBb6hLgp3unzROqXORHWXQROHkoMeeUiXYUsGtK3YaMlNsD2gkfNdKhdYHEchEnxKipmL+Po/4qnmjaV6N2pg+/ie5M/7dc6x9JENWpdrL68CvCPUFUdoxrvGIN/69mWyI6pI+ha7sgwcGJRKjgfowgfegAwIBAKKB7wSB7H2B6TCB5qCB4zCB4DCB3aArMCmgAwIBEqEiBCCVqnAOpeGnRBnbQhwupkkQkgy0TVt3L7DgRIaAu/lk9KETGxFBVFRBQ0tSQU5HRS5MT0NBTKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEDhAAClERgPMjAyMjAyMDEyMTAwMzlaphEYDzIwMjIwMjAyMDcwMDM5WqcRGA8yMDIyMDIwODIxMDAzOVqoExsRQVRUQUNLUkFOR0UuTE9DQUypJjAkoAMCAQKhHTAbGwZrcmJ0Z3QbEUFUVEFDS1JBTkdFLkxPQ0FMC:\Tools\ATTACKRANGE\REED_SCHMIDT{B81B27B7-73DD-61F0-9B21-D10700000000}0x7d1219b4MediumMD5=ECCFE02363BDC0068F2DAEF326EA356F,SHA256=BE95105C17452B68806C1DE4DF5725A4ADE81A0FB05AEC047AA2C30C633DD05E,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{B81B27B7-7762-61F0-F5F6-00000000CE01}3668C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000071066462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:05.182{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD7B4C4CA9C84AA80A8FF2DDBE0102F,SHA256=AFABA3E38E82C92D773C2B786EABAD14C49A17EDB1B72F22F15F3EEBFB38D21A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:05.561{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED858D00FC28C3E36AE589DD0825D696,SHA256=6C9D6FFA67CF43276BBED2B4724AA83D8825D481B9EFD2935412102A4331FCD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150624023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:46.748{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52462-false10.0.1.12-8000- 23542300x8000000000000000150624026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:06.764{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5590BB7BAB997F8C5927A20935F057,SHA256=7E0D269B2480BD7860445D24DB3B2AF696A029CDADA4A952A772B11046A42334,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:06.479{B81B27B7-4B38-61E8-0B00-00000000CE01}6403112C:\Windows\system32\lsass.exe{B81B27B7-9F91-61F9-D109-02000000CE01}184C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:06.479{B81B27B7-4B38-61E8-0B00-00000000CE01}6403112C:\Windows\system32\lsass.exe{B81B27B7-9F91-61F9-D109-02000000CE01}184C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071066472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:06.198{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FF35AC68BC046E99F8DFDD35C85FC9,SHA256=55638A0E4D422F9E83BAF2245788CF75D89E3369864975FA48A7F230DCBAE6D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:07.779{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE093E2C6CFFAC9C4235D8DD805F358,SHA256=12C730BA7FE55AECE3C34C7461C9BFE0F30BB83FE23204C7C1E6D5F858FA4CB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:07.199{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C1D2A242CA41ED6CDE95D21CEE231B,SHA256=C2289ACCC674C3E5609C7246D7A5B9651C41CB8E00726153793300FE392DBEA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:07.121{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C069325C3F2374A311439FF74E6217E,SHA256=5B4D160628EF6A53ED1888F41105BC6393C6889686F2B61744FB52B6BA9D10D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:07.121{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A3DA72008BC6151E12D631866552ABB,SHA256=36CA97359B8D82DCA17001F9039A78C91F70AE48D84DC7308C16C9B57835014A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:08.795{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23705B65FDB230D0271739319F944C98,SHA256=DE0D89A22989D4CAFC0E6EA3B3C4FACBA86F4B3EAD0F869F6B042099349207C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:01.887{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52606-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:08.258{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76693509324C4F3756BC6C737C7F2B03,SHA256=6880916F9EA4DA3A87C098973CFE36EC30A32B8FDE61F502BCD706274DDCB2BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:09.481{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18B9051D8E5286397C0DA42232D246F,SHA256=3ECB6AE4ADE1044790D5EA235F9701C5E5482E9031A4BF09E5818E1B14FF8421,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150624086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.904{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150624085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.904{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150624084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.904{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150624083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.904{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150624082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.904{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150624081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.904{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150624080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.904{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150624079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.904{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150624078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000150624077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150624076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150624075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150624074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150624073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150624072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150624071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150624070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150624069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150624068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150624067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150624066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150624065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150624064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150624063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150624062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150624061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150624060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150624059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150624058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000150624057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150624056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150624055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150624054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000150624053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.890{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000150624052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150624051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150624050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150624049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150624048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150624047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000150624046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150624045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150624044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150624043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150624042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000150624041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150624036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.873{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150624035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.859{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150624034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.826{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C113D22683C877ACEA76B6C3F3352258,SHA256=25D074EE4761E0CBF82950CFB416394B95D31179A4A8177BB0FA92858D173D22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150624033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.561{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.561{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.561{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150624030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.561{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150624029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:09.217{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40803CA7B65382E8ADAFA6EF46241563,SHA256=38E8B140FC779E3927E7FEB3DAA46D1518DD41AAA0B2CD5EEDF52D845B73EA40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:09.449{B81B27B7-4B38-61E8-0B00-00000000CE01}6402404C:\Windows\system32\lsass.exe{B81B27B7-4B35-61E8-0100-00000000CE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000150624144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.873{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD153E892ABE01D6E11AB9BC2D38254D,SHA256=008145B60E33BBC6E1663DC3B0B90D9008F1A8A55BE4BBF29428391352F74B3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.840{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F96-61F9-D309-02000000CE01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.840{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9F96-61F9-D309-02000000CE01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.840{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.840{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.840{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.840{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.840{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F96-61F9-D309-02000000CE01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.825{B81B27B7-9F96-61F9-D309-02000000CE01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000071066493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:04.161{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52609-false10.0.1.14-88kerberos 354300x800000000000000071066492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:04.159{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52608-false10.0.1.14-88kerberos 354300x800000000000000071066491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:04.156{B81B27B7-4B35-61E8-0100-00000000CE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52607-false10.0.1.14-445microsoft-ds 23542300x800000000000000071066490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.481{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5428158E5BD654DDC4132983E53ACB,SHA256=848DE2E6F10FD8F40A8ABE85D1B27F46D3B59630D93F55246DEB27E182B6B891,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150624143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.654{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150624142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.654{3BF36828-9F96-61F9-410A-02000000CF01}7084528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150624141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.639{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150624140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.639{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150624139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.514{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEBFF666B0EEF55DD975050511A4D2A,SHA256=11E205CF323DF3B4E9DD40AA60F02FD64B51B207C6F2E075A9E2FC5249D0BA4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150624138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.498{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150624137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.498{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150624136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.498{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150624135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.498{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150624134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.498{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150624133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.498{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150624132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.498{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150624131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.498{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150624130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150624129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150624128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150624127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150624126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150624125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150624124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150624123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150624122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150624121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150624120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150624119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150624118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150624117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150624116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150624115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150624114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150624113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150624112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150624111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150624110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150624109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150624108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150624107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150624106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150624105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150624104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000150624103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150624102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150624101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150624100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150624099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150624098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000150624097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.152{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F96-61F9-D209-02000000CE01}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.152{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-9F96-61F9-D209-02000000CE01}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.152{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.152{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.152{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.152{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.152{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F96-61F9-D209-02000000CE01}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:10.138{B81B27B7-9F96-61F9-D209-02000000CE01}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000150624093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150624092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.482{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150624091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.468{3BF36828-9F96-61F9-410A-02000000CF01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150624090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.467{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDD212C0F632C4C987323D7AFD79DBE2,SHA256=BA287F1F94FCB64293DF91C8092132FE5563FE158BE0E5623BEBB05D00FDD870,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150624089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.045{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150624088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.045{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150624087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:10.045{3BF36828-9F95-61F9-400A-02000000CF01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000071066512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:11.574{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C054C2A30222DAE167119CBC7C393CB8,SHA256=5C1721516167E673BF835A77EE7D28307532B2CA8439390B45B568A0F0C51DC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150624249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.873{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150624248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.873{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150624247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.873{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150624246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.873{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150624245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.873{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150624244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.873{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150624243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.873{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150624242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.873{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150624241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150624240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150624239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150624238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150624237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150624236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150624235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150624234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150624233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150624232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150624231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150624230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150624229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150624228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150624227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150624226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150624225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150624224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150624223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150624222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150624221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150624220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150624219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150624218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150624217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150624216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150624215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150624214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150624213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150624212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150624211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150624210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150624209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-4B36-61E8-0500-00000000CF01}416432C:\Windows\system32\csrss.exe{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150624204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.857{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150624203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.843{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150624202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.607{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14025912762774C165E733A293B1740B,SHA256=E3C8530A3A2E95A717C3F8987E290660AD5BB535E95ADCBF84C52C5A4265E286,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150624201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.326{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150624200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.326{3BF36828-9F97-61F9-420A-02000000CF01}16086076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150624199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.326{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150624198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.326{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000150624197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:53.134{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52464-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150624196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:53.134{3BF36828-4B49-61E8-3000-00000000CF01}2408C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local52464-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000150624195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:53.129{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752609-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x8000000000000000150624194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:53.126{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752608-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x8000000000000000150624193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:53.124{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752607-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000150624192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:51.872{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52463-false10.0.1.12-8000- 734700x8000000000000000150624191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.186{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000150624190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.186{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150624189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.186{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150624188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.186{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150624187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.186{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150624186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.186{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150624185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.186{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150624184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.186{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150624183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150624182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150624181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150624180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150624179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150624178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000150624177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150624176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150624175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150624174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150624173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150624172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000150624171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150624170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150624169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150624168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150624167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150624166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150624165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150624164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150624163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150624162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150624161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150624160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150624159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150624158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150624157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000150624156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150624155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150624154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150624153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150624152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000150624151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150624146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.170{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150624145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:11.155{3BF36828-9F97-61F9-420A-02000000CF01}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000071066511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:11.527{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9F97-61F9-D409-02000000CE01}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:11.527{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:11.527{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:11.527{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:11.527{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:11.527{B81B27B7-4B38-61E8-0500-00000000CE01}420540C:\Windows\system32\csrss.exe{B81B27B7-9F97-61F9-D409-02000000CE01}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:11.527{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9F97-61F9-D409-02000000CE01}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:11.513{B81B27B7-9F97-61F9-D409-02000000CE01}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:11.184{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C069325C3F2374A311439FF74E6217E,SHA256=5B4D160628EF6A53ED1888F41105BC6393C6889686F2B61744FB52B6BA9D10D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:11.027{B81B27B7-9F96-61F9-D309-02000000CE01}33561988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071066514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:12.574{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43A842A092647A8E15C9C4D799BF933E,SHA256=2E76AB151E701CB6A49221CE4CF79509422A7AE6DB1957EB40A404D1AF75D473,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:12.574{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58CBB75B4898B900F2C89A68C3BBCD2,SHA256=70840C4360DF3EC5EABEE1F40EDD687CFC87EFA12856506E132E61950617E260,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.920{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8D06F685EF9D7F9B7C503927D0AB623,SHA256=49ECC70F3BF84F6AE6CFFA178FA0BCF8595F0E9AD2C45CAA701EBB8E3B8807C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150624269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.873{3BF36828-4B39-61E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{3BF36828-0669-61F8-11DA-01000000CF01}6068C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150624255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.045{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3A8A30A5DD95645C6AFC19E55427B5,SHA256=8E815AB9AC8F45FEFAB6E0D2F3BF42F6CB54E1C90060C9DFEBD777D5C0DE65E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150624254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.045{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000150624253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.045{3BF36828-9F97-61F9-430A-02000000CF01}21565252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150624252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.045{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150624251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.029{3BF36828-9F97-61F9-430A-02000000CF01}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000150624250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:12.014{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEFEA00EB8692A821ADAD737DA9D8405,SHA256=952A5D062B70A4BF00B23EA25F4F6782ACB04B28C52E80B8D1AB4C83838A0A1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:06.964{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52610-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:13.637{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F915D647D5A3448DAA051E35DCC311B3,SHA256=2EA96C4E01E830E768A667047C6ED78AC42C87B59832DABB2F13D9B156131CE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:13.232{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38785BC4BE49EFD34CA771F73528E888,SHA256=FF8FBB2A1237651EEABE623FAB76800D4FDAABFA8984DD3608F33F16E2A29439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:05.683{B81B27B7-4B3A-61E8-1000-00000000CE01}984C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:7073:809d:70b7:7bb9win-host-987.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000071066518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:14.652{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7605083E9A927AB4BFDEBD2EDC7AD591,SHA256=F46C78D53CFA4AE89CF314083E96A526913692DFEA2E2CA7994BE20C1484B1D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150624276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:14.576{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:14.576{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:14.576{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150624273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:14.576{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150624272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:14.248{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C45B8D5973180F5631761ACD315DD1D,SHA256=F8D90C8616DE353103BC5339545F8B634D5ECFDFA46B3DD6D9D6C798E2976CD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:15.871{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCF5CC5DF2ECE3521B9114382F0BD14,SHA256=5CAD986AA5C8DCA54D8A90A5A002646AD0EF4258B88C001AA7486C9798C9E37F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:15.279{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05230DAEA64385DAE5F6F9119371DF6,SHA256=3C4F84068C38C4DC4D27C74B32DC0239382D37871BAADFC844BD68C853648114,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:15.092{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F472102F3201D907078F703A77BDE2F,SHA256=397F6D218776EE6BDAE163E937C3A7EBD1D6B69808FB46E6702C5185F644201B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150624280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:00:57.731{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52465-false10.0.1.12-8000- 23542300x8000000000000000150624279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:16.295{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C949F35A91ED35036B2170B967777674,SHA256=6EC4154065E4EDBC0C4A92AED2443B50F84862314FF573A110CCC322473607B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:17.106{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397DE030285D7F6614EC8F192B6E2067,SHA256=802E10C3669DA92C632C61FB9BB0D8515A77664EB5D8877B6346D808B6E36B7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:17.326{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D01611A4A9EB882640C7D8BD60127C,SHA256=9DA45557573BBC21F05A2160324D8DEE84AADAC297A122243DE23362D4D8AC5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:18.121{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAB9E67291AABEDAB594142655763C8,SHA256=BD14AC5A0DADEC77396B5FA232674DAE118EC23312F68DE49ADC9F3681662C28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:18.357{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC507CA4014B7BB872688C48519DFD10,SHA256=BE24C908CC26DB26BDCCFCEA10FE9F6D9B565DBF060F94CBE230AD6EB2C8D4D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.654{3BF36828-4B39-61E8-1300-00000000CF01}352NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=069D4D12D6380BF451208A43AA66C51C,SHA256=DE4426984D5CF477AE2A87526F85CACF2BB396F051275623ECB097DF6E8F9591,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150624338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.592{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.592{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.592{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150624335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.592{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150624334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.561{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000150624333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.545{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000150624332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.545{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000150624331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 23542300x8000000000000000150624330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1A01DC43F59A858197FAD383F561C4,SHA256=D539A956BAA69F348C9F5F766A5770BE36DB0EC98BB12509370045B973DBE0BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150624329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000150624328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000150624327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000150624326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000150624325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000150624324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000150624323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000150624322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000150624321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000150624320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000150624319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000150624318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000150624317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000150624316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.373{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000150624315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000150624314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000150624313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000150624312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000150624311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000150624310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000150624309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000150624308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000150624307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 23542300x800000000000000071066522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:19.137{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AA2C680FD6A45F309B187F291A0B03,SHA256=202766006680BE9834F2994630EDF96805A54A96B3B17105970FC298D50DEE44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000150624306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000150624305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000150624304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000150624303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000150624302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000150624301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000150624300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000150624299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000150624298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000150624297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000150624296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150624295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000150624294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-4B4B-61E8-3600-00000000CF01}34443464C:\Windows\system32\conhost.exe{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000150624293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000150624292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000150624291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000150624290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000150624289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-4B39-61E8-0C00-00000000CF01}8404768C:\Windows\system32\svchost.exe{3BF36828-4B49-61E8-2A00-00000000CF01}2992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-4B36-61E8-0500-00000000CF01}416532C:\Windows\system32\csrss.exe{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000150624284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.357{3BF36828-4B49-61E8-2D00-00000000CF01}30564072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000150624283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:19.343{3BF36828-9F9F-61F9-440A-02000000CF01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-4B37-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-4B49-61E8-2D00-00000000CF01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150624342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:20.717{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661C11EC7D89CDFCF7DA46A318DBF0F1,SHA256=948057F1323352E1464C4A9E19B87F1DB73253194CAF05A62E9DC3B01136A701,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000071066534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 21:01:20.418{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000071066533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 21:01:20.418{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x43b1b1ac) 13241300x800000000000000071066532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 21:01:20.418{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d817a6-0x7ad13714) 13241300x800000000000000071066531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 21:01:20.418{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d817ae-0xdc959f14) 13241300x800000000000000071066530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 21:01:20.418{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d817b7-0x3e5a0714) 13241300x800000000000000071066529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 21:01:20.418{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000071066528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 21:01:20.418{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x43b1b1ac) 13241300x800000000000000071066527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 21:01:20.418{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d817a6-0x7ad13714) 13241300x800000000000000071066526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 21:01:20.418{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d817ae-0xdc959f14) 13241300x800000000000000071066525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2022-02-01 21:01:20.418{B81B27B7-4B38-61E8-0B00-00000000CE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d817b7-0x3e5a0714) 23542300x800000000000000071066524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:20.152{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9091B2B5701257906F15DC192C5988,SHA256=A603C3FD50BC84158EF8A402CFF68FB3F8D426ADB4454A250EC37792173E21CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:20.248{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B08BA608818D2E4AE621C6FB8745798E,SHA256=C15FC215A9CF44E71B6D427C4C023D7ADC7BED1219385C4E03ACB24A0622146D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:20.248{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B73FDA30839BD80DD4C32C39BEFF76D0,SHA256=D4EB4F749FC6F6CFE182007B5730326AD2C8A8DCDCAFEE59A0D81C1FB72F3374,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:12.777{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52611-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150624344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:21.748{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16640807693809912D12B121E019734,SHA256=57DC6F73549CBB05129331E45386EB6C212F753A8700E28786F7BD2C253CF72E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:21.184{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDA79CCC1FD32B9908ABCED38F340D2,SHA256=9EA0A30A9B508D106A3CD2F9843A2D22F110714FBB4342946911BC56D39BA292,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150624343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:02.793{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52466-false10.0.1.12-8000- 23542300x8000000000000000150624345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:22.779{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BB15BAB4DCE9DF4D14CF2C57676830,SHA256=C27C3B54E0D8B355C0EEBAC1D020414B328936C1930DB6591B4F99890B43613C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:22.762{B81B27B7-9FA2-61F9-D609-02000000CE01}28762656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:22.543{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9FA2-61F9-D609-02000000CE01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:22.527{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:22.527{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:22.527{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:22.527{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:22.527{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9FA2-61F9-D609-02000000CE01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:22.527{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FA2-61F9-D609-02000000CE01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:22.513{B81B27B7-9FA2-61F9-D609-02000000CE01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:22.356{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD43E49B64EA760185433E9E4B6905D,SHA256=2E6FFEDDE44BFC265C51FBA3B74658C936FC112351C192E0036B356A441CF90F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:22.262{B81B27B7-9FA1-61F9-D509-02000000CE01}6482200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:21.996{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9FA1-61F9-D509-02000000CE01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:21.996{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:21.996{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:21.996{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:21.996{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:21.996{B81B27B7-4B38-61E8-0500-00000000CE01}4202120C:\Windows\system32\csrss.exe{B81B27B7-9FA1-61F9-D509-02000000CE01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:21.996{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FA1-61F9-D509-02000000CE01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:21.981{B81B27B7-9FA1-61F9-D509-02000000CE01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000150624346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:23.795{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1629FF7A4A4ECF2D1641BE512B44806D,SHA256=BD7E6A0C7C99C377AC4221C4A55838FB8F55D1C8933ADE1AE37E78058849C334,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.793{B81B27B7-9FA3-61F9-D809-02000000CE01}17245072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.590{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9FA3-61F9-D809-02000000CE01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.574{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.574{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.574{B81B27B7-4B38-61E8-0500-00000000CE01}420436C:\Windows\system32\csrss.exe{B81B27B7-9FA3-61F9-D809-02000000CE01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.574{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.574{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.574{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FA3-61F9-D809-02000000CE01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.560{B81B27B7-9FA3-61F9-D809-02000000CE01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.356{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=906D1C9F8B485D85F8DB1E09BC557944,SHA256=12374BDDC3AC15B1C540C52B3FE921565BC798AD03A70580C08EAA098E24B619,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000071066564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.043{B81B27B7-4B3C-61E8-3000-00000000CE01}31083128C:\Windows\system32\conhost.exe{B81B27B7-9FA3-61F9-D709-02000000CE01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.043{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.043{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.043{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.043{B81B27B7-4B39-61E8-0C00-00000000CE01}7363692C:\Windows\system32\svchost.exe{B81B27B7-4B3A-61E8-1F00-00000000CE01}2004C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071066559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.043{B81B27B7-4B38-61E8-0500-00000000CE01}4201000C:\Windows\system32\csrss.exe{B81B27B7-9FA3-61F9-D709-02000000CE01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000071066558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.043{B81B27B7-4B3A-61E8-2600-00000000CE01}21723992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-9FA3-61F9-D709-02000000CE01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000071066557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.028{B81B27B7-9FA3-61F9-D709-02000000CE01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-4B39-61E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000071066556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.012{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79B890B7A33CA1FFF557D265B216119D,SHA256=25F697C25645EBCDDEFA6790264F6DD142A1D917E076645DDC338C5B4FBA2CAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:23.012{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFE0D66CAF32883268AA542E534BBB16,SHA256=DB73979FFEA15D5B646C5F729678EA30315DDB529093CB371A1ED7378B8BDDDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:24.811{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705CBF00D0F3879EFACEF419A0E885D5,SHA256=12FAF76178091B171383EE2E0B04BF5817A08380210D1C0BD67135983ED28743,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:24.371{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0998D8BBF0F5E1D67B5C2011E8F9FE,SHA256=E57BC47CEB9A96AFBAE866742BD21EE9FB907048A853E766213064535F6FB7F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150624350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:24.607{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:24.607{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:24.607{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150624347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:24.607{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000071066575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:24.199{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79B890B7A33CA1FFF557D265B216119D,SHA256=25F697C25645EBCDDEFA6790264F6DD142A1D917E076645DDC338C5B4FBA2CAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:25.826{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDACA1C4F5BADE224AF2220E61FBA032,SHA256=DF43A4F0B24B19C4235CD776F16E6CCCA2951AF5C2E8280C26EE50EF3D970FD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:25.387{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F372271CEE0FCDF3C500FE3B2FA743,SHA256=75F735F275748230065F01EF22391A739A20485C17EBD762ED2F3EA18894B76C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:25.264{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=177E56C8E4143ABCC9B785734DE943E4,SHA256=35EB6E894B4596D3F6351F93080ED243393F05CB29191E898A8BCD391137F48B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:25.264{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B08BA608818D2E4AE621C6FB8745798E,SHA256=C15FC215A9CF44E71B6D427C4C023D7ADC7BED1219385C4E03ACB24A0622146D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:17.870{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52612-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150624356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:26.842{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE671C73C3C802DDA993D2BD21D32C2,SHA256=32C21ABA76D8C76587F52F61F38283DC6E81385C4EB03AA8BD64689963CB07F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:26.387{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF93898FB163A2615F6E635CA2B79B0,SHA256=1DE857B9207FA4FD7EFA0FCCCE67EA6F985201177ECBCADB9F3E173651D346E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150624355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:07.903{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52467-false10.0.1.12-8000- 23542300x8000000000000000150624357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:27.857{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB6612379EACF7B7DC02191D27DA677,SHA256=5D0DF57437604B929D83727F89D9FFBE1256BFD25CF2146ED404AF58AAD7FEBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:27.402{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B755ACDFE145332F5B769E9C6F3EDB7,SHA256=58A324389BEC6A64B0B84EAEF7D7E4B0F5ECC483C11F9C86D1AC4002C88E330C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:28.873{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF14B50271EE7774906E28D2A3E1F95,SHA256=5004409F72DAB9F7E1A576AEC992D19376C880B44DB7049CB03F5BAA5BB2C2F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:28.418{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB1F84187733BA3B7F471B895831FB4,SHA256=952F9E79184CC907F9F2AFBDC69084F0A12A5890EA66BD133052B15E6FF64E28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000150624373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 21:01:29.982{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000150624372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 21:01:29.982{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x43b1b3cf) 13241300x8000000000000000150624371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 21:01:29.982{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d817a6-0x7f93f9c7) 13241300x8000000000000000150624370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 21:01:29.982{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d817ae-0xe15861c7) 13241300x8000000000000000150624369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 21:01:29.982{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d817b7-0x431cc9c7) 13241300x8000000000000000150624368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 21:01:29.982{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000150624367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 21:01:29.982{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x43b1b3cf) 13241300x8000000000000000150624366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 21:01:29.982{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d817a6-0x7f93f9c7) 13241300x8000000000000000150624365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 21:01:29.982{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d817ae-0xe15861c7) 13241300x8000000000000000150624364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2022-02-01 21:01:29.982{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d817b7-0x431cc9c7) 23542300x8000000000000000150624363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:29.904{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2D232E66C7198A7DF3E9596DF294F4,SHA256=A2E245C550E9062AF4670A32079A46BEF19B9C96E16AECA62C18D12FC1133DCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:29.418{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7658FF7DE1D22E36549412EF2300BFDF,SHA256=14AFB3F395F5FA8EE4B7FB364ECEAC8642BB4B2448D537EAB2141BAC1F1A0E09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150624362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:29.623{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:29.623{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:29.623{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150624359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:29.623{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150624376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:30.936{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F96EE8DD6836614B662709E8FFF8939,SHA256=84A6FF12F7558D46EF3641CBCB8D0FCE17FBD8FE61AEC66379F53D8C0426AE26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:30.434{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2611574FE57524526B9B8B45BEF8ED5,SHA256=DB4AC7927DDD3CC0F343D86C707A4F513FEE51D0B3AEF56715A6083B5DBA0F9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:22.964{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52613-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000150624375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:30.639{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F64B0C950D5C9BCF4778B85E3F357CF3,SHA256=44118AE4C97FD62E2DEF73653C6DDB64A978F7A88257E3B102FE86319FC98F86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:30.639{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=177E56C8E4143ABCC9B785734DE943E4,SHA256=35EB6E894B4596D3F6351F93080ED243393F05CB29191E898A8BCD391137F48B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:31.982{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF6DDDC22DCC60F5302953EA921DF24,SHA256=D2EB07BF5E9CD1DF65D2D4F8179D2A832E8EEB6C76AD7C4BCEB1937A043313F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:31.449{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1E4F808E92E23F89F78091F7530F84,SHA256=B62836146D98891C5F06FFE340C2BBEC24B066825FC1E937CB9D9F5E613DEB1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150624379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:13.919{3BF36828-4B37-61E8-0B00-00000000CF01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local52469-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150624378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:13.919{3BF36828-4B49-61E8-2500-00000000CF01}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local52469-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000150624377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:13.824{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52468-false10.0.1.12-8000- 23542300x800000000000000071066586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:32.465{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F731F55E896BA209ED8112FF114D36,SHA256=0B9C0C9EA5F3C95A5676000895F2BD04447DC0AB085C8439005C4FB474F4F27E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:32.857{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F64B0C950D5C9BCF4778B85E3F357CF3,SHA256=44118AE4C97FD62E2DEF73653C6DDB64A978F7A88257E3B102FE86319FC98F86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:33.481{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC1589271C080946CBEB7E7485A4357,SHA256=F7D0485FB7A20B47CDD3AE1F0442C3DF46DF4956E7E7A3512DF610A7ABD49B9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150624384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:15.438{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-128.attackrange.local138netbios-dgm 354300x8000000000000000150624383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:15.438{3BF36828-4B33-61E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000150624382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:32.998{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B6AA81195BE85FC25D3FF2D4BDAAD8,SHA256=1159D828B19F6A10F5173E7DBCE579027D4A5A5024B5A0260B93509181E54A6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:34.496{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D9927976938B954E75E5550D0C2230,SHA256=AF3B377C8BEC77B5411577D559BEA86CD880B4BFF6E8583AED23C58EE90932E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150624389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:34.639{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:34.639{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:34.639{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150624386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:34.639{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150624385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:34.014{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5B667C9DE272143DD430E405DBC3B1,SHA256=D15B0A6D6AF1E1DE7F0E9FE223107BC80C1A1116CE4B668066BBB4AF4F01C2B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:35.512{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DDA55DD54E5333959C43E0FC1A6215,SHA256=9A18021B005A1DE566E238FAF4A0776DC07AF308FEEDC21F8BFB780709BA2033,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:35.654{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=594114ADDDA02E6BF252CA482A8A298B,SHA256=BE98BB0CD45451DAC05E46822BCEF2DCD58CC7EC435D9C621CA50031161CBBB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:35.029{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CC3D68680F1362433714207C6CDE7E,SHA256=40A2C6B68F82F4005AAD73EAADB77AAB01D021DB9BA13B69B30A87716B028C3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:35.029{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441624DAB0B064765C457909EA500CE5,SHA256=620BF683DD56D0C091E08F6CD8EF82D73516B563BCA138AD0465848653008AD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:28.855{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52614-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:36.527{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3A8F8D5B61A3295521E382CB2BC406,SHA256=4C7B7F1C14C49D3B269D6A5519437C6C6CB1217FE7BB12B9AAADC150E9C738F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:36.076{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A68CE68745B31A2768B1CB4D2B882F,SHA256=E11D5A61F6308324FBEA65E0037E3652737937386CE8243758A9006D8B3C4E36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:37.543{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A50F6B95FE7E537E83B958C28E51583,SHA256=51651C2A6E61A8984A3B47549CF303BC7CF8D92F5C8EC62DAF1484A56B965F24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150624395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:18.903{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52470-false10.0.1.12-8000- 23542300x8000000000000000150624394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:37.092{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC6457615F3CF66BAE9D7CCA0D4B353,SHA256=0C93418176BDB856DC1938596230F477AC712BD904647C943C3C6CF5DD490D6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:38.543{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF29B8673A59237BA3DBED247404576,SHA256=50DACD0C00EFB2A4C7B2D3123172CEC585480448A39EB73FB9078147F29D107C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:38.107{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406519D2B059272AC841878E234AA5FB,SHA256=2252A0EFA3C302592E4936F9612AF888885A3D470D21A010D43C5BA94E7C4D9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:39.543{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9A1FF634080944CF0A45CB726C2BCE,SHA256=4F7EB98762BBC5B7C156CE4434F6786F547091F86679D562E9ACC661F27A8281,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150624401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:39.654{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:39.654{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:39.654{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150624398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:39.654{3BF36828-4B37-61E8-0B00-00000000CF01}6324464C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150624397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:39.154{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4861A996906407528BA123528A820FF6,SHA256=C434F08631F47056C61C3AB0814336CCBC457967243C143AC7D0B16F698B58CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:40.559{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CDBC4BDF8D5A70E626768245D7361A,SHA256=E4F2A44F37BCB01A8D4D9B4FA7DB9BD00E1B23021BBA8A20F87B22355F8A5FDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:40.670{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=162005C44BAB6A99605F0E9B3A08AE7C,SHA256=2EA58622495843DD17F47A53F6FD5850E2C96808E248EA0A8F783EA2911BF14F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:40.670{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72FE0468D2B950FAC766DD21C3E1449A,SHA256=6316C6BEA50EE002E4AF2527D114EE53C5F415378E67308D90F689241D586522,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:40.154{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25DCD437ED7E17C4A8BD3A39800CC34F,SHA256=86C5FD1F12F404F407AD91E691DAA1785A8AF96F346D7BF0FC0DAB7D6808B03C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:33.917{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52615-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:41.559{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8816234DBC4C340B4A69DB540DEA1E95,SHA256=95A4C8DCE5BFE37CAE53C048689CE570FCC32875A5AE23DFC283EFE123CC9F7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:41.170{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A415FC16E31869A40A4B553D50B876A4,SHA256=11805C58FA12E91AFAF1CDB6D3A721B6127780451A470D3E6712316DB29BA913,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:42.559{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BAB69F51B1D0A4FE33C1DD2DFDA464F,SHA256=2D9096A1878ACCE2FCA515F2AB2EFAE092CBA710707C94FAAB24DC0EA1E18288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:42.295{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=162005C44BAB6A99605F0E9B3A08AE7C,SHA256=2EA58622495843DD17F47A53F6FD5850E2C96808E248EA0A8F783EA2911BF14F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:42.186{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5142938369B93EB2C1FFB1F0EB7BCC,SHA256=D5C1B0BB054B7F7CBE203C63660C61F2947561C1A6406A06E3B4F3ED252D1C48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:43.934{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:43.574{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89975CA9ADBE6B4538A88A3AB155566,SHA256=3DEB814DC0267CB5192AF66CA97F53BA71FE6E3FA71152AE251C5AA40F29BF75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:43.201{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B812C0CD431E9F5C5CD9D584EE3A51CE,SHA256=48E8E355DF683F5F245D86C673E034C30E589C33395914D3ABC4CF6AF3577097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000150624408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:24.793{3BF36828-4B56-61E8-6D00-00000000CF01}4044C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local52471-false10.0.1.12-8000- 23542300x800000000000000071066604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:44.637{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=F581E9B90C9C7ED3458B9D21814F03D7,SHA256=AEC9C6857374CF0905B7B2D3DFE9CC6ABECDA2811517C51FB850891AA860B9C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:44.637{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=25C8C700488DA42C52B92582092670E0,SHA256=7A93B13C79C7CD0AE08AB5EBD678DE336BA2B211FCE70A992169EA2CB5A47B26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:44.637{B81B27B7-4B3A-61E8-2600-00000000CE01}2172NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=1FA5FAB861905BDB20E6D60846C22ED3,SHA256=CC59356543F67B6C0A36A79FAFE2007E4ED0932C056F539846A25AA88F8DC551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:44.574{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A5844CB78A11FC142E8CAFF1EADF2C,SHA256=B97FC7C0663DA77F2B6D381172424E7406D4A5150D07F1DE0D93CA25567D0E1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000150624414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:44.670{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:44.670{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150624412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:44.670{3BF36828-9F6D-61F9-390A-02000000CF01}1272956C:\Tools\Rubeus.exe{3BF36828-4B37-61E8-0900-00000000CF01}572C:\Windows\system32\winlogon.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C) 10341000x8000000000000000150624411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:44.670{3BF36828-4B37-61E8-0B00-00000000CF01}6322768C:\Windows\system32\lsass.exe{3BF36828-9F6D-61F9-390A-02000000CF01}1272C:\Tools\Rubeus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000150624410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:44.217{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B30B014325E985EAB7BCEDDD05FD832,SHA256=E69229DCCB8A6354B4A6B8E464D51287086B817A1B1F0DBA314F36C9AF7266D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000071066605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:45.590{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEED40ACC65A731770F03EF351CE708,SHA256=7927D2613174DC8075A970CC34A43AC912418590D254DFE9EF649D560A695C2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:45.686{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9C7268FC6FA0E3F0B3BA3ADC31EAEC0,SHA256=B20962C6B04103EE442BC2726F33967C9479958D87626AE334342F4F319EBA39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:45.248{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E5EFD776D2A4CCCB9A25BAD3349181,SHA256=1C75A36726B6C6557E89805A2D4DF652D2A5ACBD2BFCC11CDAB7C11F496F8B84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:38.620{B81B27B7-4B3A-61E8-2600-00000000CE01}2172C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52616-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000071066606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:46.606{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D4F94F931B414C14B3AA72FA33F82C,SHA256=0883ACF36D7C7CC80A255FCB8A6412D2171D3269060463D3888167FB62E69AD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:46.265{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F94D2AF47D5B282BF69BD992F97DCE,SHA256=C5D363768EF7090D6580F1F2E2D252A3775E12AA527AFA51DFAA2A57060CF8D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000071066609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:39.808{B81B27B7-4B45-61E8-6600-00000000CE01}4020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52617-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000071066608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2022-02-01 21:01:47.621{B81B27B7-4B4D-61E8-6F00-00000000CE01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1588CABA9D98307826506C6A7032B75B,SHA256=EBEA93B5ADC10153E3F9D5A2E3902E9AD836F4E200EE7302BB551275B0005FC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:47.449{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17C7D4CEC020FD9FD05F8294E3389B66,SHA256=22A196BB5C96E33ED11A95A50AF73683F3B79DBC2BD553CD58B325046FFD8F2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000150624418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2022-02-01 21:01:47.277{3BF36828-4B5D-61E8-7600-00000000CF01}3900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7719F1CE4AF8056F7EBE58E5DA7F9E50,SHA256=74408174DEE3A0383C8939BCCE3B39B55152493E164C06502D11864AA8C4E150,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space