11241100x80000000000000002528619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:14.459{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:14.459{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02E12FB03EF6112CDFB4D6CA318B771,SHA256=39101A4D17F0DF69EDDF5380FFD30358E7F204524603D3F117E9D54738E2B94Efalsefalse - insufficient disk space 354300x80000000000000001563209Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:08.509{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22331-false10.0.1.12-8000- 23542300x80000000000000001563208Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:14.293{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12A581DEA0EF46B6F8EB41C0C06E082,SHA256=F6904FBC2EC53CBBB778D10A1E27CE6F60AB97770FE7B81CC11AC8EABC32D27F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563207Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:14.035{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A07469E95D5DF2F9DD7629F72E0698E,SHA256=3BA8060D44DBBDC2ED6A08CBD3912ED698BCA8BA130040E74665EB70FCABBCF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563206Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:14.034{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=318881E3FB7B327C08B35385F4E0E9B5,SHA256=67A6DD431B1E675B54B5D9D9C5CCF78BA1887F9B551B850B47EAB31FB356E793,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563205Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:14.013{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563204Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:14.013{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002528621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:15.597{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:15.597{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC0767092394783A37306EE1F326F38,SHA256=786B33A33CE181C4E64E9F321A77BE666858D4C9326D3A2A2C10083942EA15E7falsefalse - insufficient disk space 23542300x80000000000000001563212Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:15.295{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2723E0B9B40C156B38FEA55AC54F074A,SHA256=3B0A8253701A131CC71D9B5CC7DEBC3569F36166BE6180BB1E0694B009E059F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563211Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:15.014{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563210Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:15.014{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563219Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.453{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wcognp7t.default-release\datareporting\aborted-session-pingMD5=8B812D9BF33B59E9BDB7430A29B4EAA9,SHA256=C1B6913753AB0743E0964E37796E045CD2AD4E6B1BE650DA69BF997FF53DD63C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563218Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.406{761B69BB-88A9-6081-637F-00000000BA01}58365856C:\Windows\explorer.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001563217Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.405{761B69BB-88A9-6081-637F-00000000BA01}58365856C:\Windows\explorer.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563216Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.405{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF10998561.TMPMD5=FD9CA3B752C969255F9013E45601E2FF,SHA256=6B542E6C346BCD00B0E9E5182F5689C44912608F9BE79EE9E779CD8B01144944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563215Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.307{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036AB7B7FB5EC64B98012423CEA84037,SHA256=F0523BC053E7D035D70977172112A03E5F5F7C5A2253122EBE4146E6AC0D21CF,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002528681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.869{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000002528680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.869{21761711-C16C-6081-B487-00000000BB01}17041708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.869{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002528678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.869{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002528677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.747{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002528676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.747{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002528675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.747{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002528674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:16.747{21761711-C16C-6081-B487-00000000BB01}1704\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002528673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.747{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002528672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000002528671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002528670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002528669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002528668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002528667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002528666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002528665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002528664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002528663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002528662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002528661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002528660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002528659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002528658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002528657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002528656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002528655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002528654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002528653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002528652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002528651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002528650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002528649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002528648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002528647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002528646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002528645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002528644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002528643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002528642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002528641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002528640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002528639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002528637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002528636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002528635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000002528634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002528633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.731{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002528632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.716{21761711-C16C-6081-B487-00000000BB01}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002528631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:16.715{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:16.715{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:16.715{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:16.715{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:16.715{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:16.715{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002528625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.599{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.599{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E274AA854F2EC8B366EB67AB187AB10A,SHA256=454CD45870F54132D98562E39E72172AC029BB6E7D12A524794C4435BD2144D2falsefalse - insufficient disk space 11241100x80000000000000002528623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.064{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002528622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:16.064{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A2713D9E25D98900875169AD5337508,SHA256=2808D602A32CC18CE69DEDB2A811E91B4DD8C5C0089CA57CD64E79F35DD215AAfalsefalse - insufficient disk space 10341000x80000000000000001563214Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.015{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563213Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:16.015{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002528748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.802{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.802{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5701E5358FC0AD189C815F4F147C6951,SHA256=56BCEB3C683B289615A20E1B97ED18F7E523212ECC58EFEA703B01DD4DE6A6ACfalsefalse - insufficient disk space 11241100x80000000000000002528746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.802{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002528745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.802{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36C264BE7D0ADD717614A36FF52143ED,SHA256=9290786DF97D04DA1F4A1CD57A9A5F84BBBE0516074F7EACD3EF2DFA42B7AEA8falsefalse - insufficient disk space 354300x80000000000000001563225Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:12.112{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22332-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001563224Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:17.675{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A07469E95D5DF2F9DD7629F72E0698E,SHA256=3BA8060D44DBBDC2ED6A08CBD3912ED698BCA8BA130040E74665EB70FCABBCF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563223Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:17.396{761B69BB-818C-607D-0D00-00000000BA01}9046508C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563222Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:17.311{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7DF28ACB1348D47F9F2D9E197002AE,SHA256=E3487E7F57F577C20E512AF4556F6B84CBAD79EE43DC8D8465470E698C84317F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002528744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:14.530{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50720-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000002528743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.571{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002528742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.571{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002528741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.571{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002528740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.571{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002528739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.466{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.466{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA05EA4D6ACD919A8BA4A1661450E3CD,SHA256=A2EF6C2872EE13D0008DB86969AB9EC1A01A1D4E847237463B043AFB2B0638D1falsefalse - insufficient disk space 734700x80000000000000002528737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.448{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002528736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.448{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002528735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.448{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002528734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:17.448{21761711-C16D-6081-B587-00000000BB01}5612\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002528733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.448{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002528732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000002528731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002528730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002528729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002528728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002528727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000002528726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002528725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002528724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002528723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002528722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002528721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002528720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002528719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002528718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002528717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002528716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002528715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002528714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002528713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002528712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002528711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002528710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002528709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002528708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002528707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002528706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002528705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002528704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000002528703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002528702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 10341000x80000000000000001563221Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:17.016{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563220Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:17.016{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002528700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000002528699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002528698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002528697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002528696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000002528695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002528693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002528692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002528691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000002528690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002528689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.433{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002528688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:17.418{21761711-C16D-6081-B587-00000000BB01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002528687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:17.417{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:17.417{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:17.417{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:17.417{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:17.417{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:17.417{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000002528863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.936{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002528862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.936{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002528861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.936{21761711-C16E-6081-B787-00000000BB01}72284540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.936{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002528859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.936{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002528858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.905{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.905{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF51C6C960D56B1CCAC0B7CA4443A53,SHA256=1292F763C85F19F2970DA1ABD6F94CBA238EA0D740966A3C0BC42F589791CB0Cfalsefalse - insufficient disk space 734700x80000000000000002528856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.820{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002528855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002528854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002528853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002528852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002528851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000002528850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002528849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002528848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002528847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002528846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002528845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002528844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002528843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002528842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002528841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002528840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002528839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002528838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002528837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002528836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002528835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002528834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002528833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002528832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002528831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002528830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002528829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002528828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002528827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002528826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002528825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002528824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002528823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002528822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002528821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000002528820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002528819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002528818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002528816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002528815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002528814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000002528813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002528812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.805{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002528811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.790{21761711-C16E-6081-B787-00000000BB01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001563228Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:18.321{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B3E789A85AB07896AA7AB93A828181,SHA256=9FC4E015390824A468628C51F06EC2E962A46684DAECBC22FB338044BD21478A,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000002528810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.789{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:18.789{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.789{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:18.789{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.789{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:18.789{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000002528804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.272{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002528803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.272{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002528802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.272{21761711-C16E-6081-B687-00000000BB01}42806100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.271{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002528800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.271{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002528799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.150{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002528798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002528797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002528796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002528795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002528794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002528793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002528792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002528791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002528790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002528789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002528788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002528787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002528786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002528785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002528784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002528783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002528782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002528781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002528780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002528779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002528778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002528777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002528776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002528775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002528774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002528773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002528772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002528771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002528770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002528769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002528768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002528767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002528766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002528765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002528764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002528763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002528762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002528760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002528759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002528758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002528757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002528756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.134{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002528755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:18.119{21761711-C16E-6081-B687-00000000BB01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002528754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.119{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:18.119{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.119{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:18.119{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:18.119{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:18.119{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001563227Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:18.016{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563226Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:18.016{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002528925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.871{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.870{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7A990A312252FC916A3613E9E296C6,SHA256=42DE053E8E41D9F32E4135BD824259990EB6CB31E7E6563AE921831333CDB14Efalsefalse - insufficient disk space 354300x80000000000000001563233Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:13.638{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22333-false10.0.1.12-8000- 23542300x80000000000000001563232Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:19.338{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC535C4666652B4D7A9C4F0913970B6,SHA256=01CFE05CB56183CB35AECBF731B3FFB9D3F0933116D765DA872D41789DFCA9C8,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000002528923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.622{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002528922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.622{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000002528921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.622{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002528920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.622{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000002528919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.522{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.522{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A38CEF5B53B9799D23FAAF2DE0D837,SHA256=565633708017445475EC2191CE4F5049B7600A381DE721B510096196CCFCACBFfalsefalse - insufficient disk space 734700x80000000000000002528917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002528916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002528915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002528914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002528913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002528912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000002528911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002528910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002528909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002528908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002528907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002528906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002528905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002528904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000002528903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002528902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002528901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002528900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002528899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002528898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002528897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002528896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002528895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002528894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002528893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.491{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002528892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002528891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002528890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002528889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002528888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002528887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002528886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002528885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002528884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000002528883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002528882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002528881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002528880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000002528879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002528877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002528876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002528875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000002528874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002528873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.475{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002528872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.470{21761711-C16F-6081-B887-00000000BB01}7236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002528871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:19.469{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:19.469{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:19.469{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:19.469{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:19.469{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:19.469{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000002528865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.253{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002528864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.253{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1080763B72D74BCBD65671C4D84C6D1,SHA256=08B89B5010488C6978AE0BB67F528E4DF6CB983676FD3760B57D7544A17FE580falsefalse - insufficient disk space 23542300x80000000000000001563231Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:19.144{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91BEB768064EED2957EF00F53FE84250,SHA256=7299D38FF899064684B60C5B99FC225C38677F7ED2B7203C67745192826BB5FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563230Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:19.017{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563229Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:19.017{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002528985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.994{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.994{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4DE4D4EE21B8EBBB63AADE77759768,SHA256=B2F5C9AC1826314FEDAC1C5606B879873FED18F67BAEEAEBA8236149328CAD0Efalsefalse - insufficient disk space 23542300x80000000000000001563236Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:20.341{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9830202D5F60A8A9FE794DF99C343E3,SHA256=8E55EF419EA39584C03635A089CB68A07DC33F09253FACDE238DCBFFE5E04801,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002528983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.509{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002528982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.509{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=280AE5D0A952DE583B03647D7A58A472,SHA256=FDB5CFE2BC3B1ECADC05C1843D881165438FDCB9FC03B16BD25A16AC2B7BF279falsefalse - insufficient disk space 534500x80000000000000002528981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.293{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002528980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.277{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000002528979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.277{21761711-C170-6081-B987-00000000BB01}33561528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.277{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000002528977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.277{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000002528976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.172{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000002528975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.170{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000002528974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.170{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000002528973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002528972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000002528971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000002528970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000002528969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000002528968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000002528967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000002528966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000002528965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000002528964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000002528963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000002528962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000002528961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000002528960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000002528959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000002528958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000002528957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000002528956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000002528955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000002528954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000002528953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000002528952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000002528951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000002528950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000002528949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000002528948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000002528947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000002528946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000002528945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000002528944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000002528943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000002528942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000002528941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000002528940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000002528939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000002528938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000002528937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000002528936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000002528935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000002528934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002528933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.155{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002528932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:20.140{21761711-C170-6081-B987-00000000BB01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000002528931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:20.139{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:20.139{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:20.139{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:20.139{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000002528927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 18:33:20.139{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000002528926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 18:33:20.139{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001563235Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:20.018{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563234Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:20.018{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563239Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:21.350{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C644F88E421C26342F8524D93A82D9,SHA256=1452344ED2177CB291DF7F0EAF73A083ED75393520B0C87F0B14D94510011840,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002528986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:19.542{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50721-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001563238Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:21.019{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563237Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:21.019{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563242Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:22.361{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E6176014F828884A661172C0194436,SHA256=F02460EDF3787EF48D621D3D4BF8775803E097D92D5E2BFDFFB3390695F132BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002528988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:21.997{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:21.997{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BA6D60DDE0AF50DC4E4FF0B9FBC00F,SHA256=F1F49651C0B566C0E64E336FFCF0014BF33001C8C3516DF129AADDA0CCB51C5Efalsefalse - insufficient disk space 10341000x80000000000000001563241Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:22.020{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563240Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:22.020{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563246Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:23.367{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCB4AA2BD73083F751BAD7A3283744E,SHA256=A567C5FD30C4CF0A14002AF24743C4C9B27D7A647C70997EE6021D56F02D568E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002528990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:23.015{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:23.015{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95D19EF5BC175A464B43EBAA88F2B4F,SHA256=580DE4D116F9CEA44FE97C2239AC5C22F862E69DC07AAD742A14AD677C40EA00falsefalse - insufficient disk space 23542300x80000000000000001563245Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:23.194{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=995FF0F1117EBD7B7D47B7A09420999F,SHA256=C7C6742BCEE023C902A4D7B9975D553B0E597ABE9B8F986E2DE8748090EB7A65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563244Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:23.020{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563243Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:23.020{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563250Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:24.377{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BBB2C3FC0CBE720930985A286CDC1BF,SHA256=617285D13B9A903D7D4DD33B2A15CF516F6DA4A08EE6CC303573EFFE188EDB54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002528994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:24.704{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-04-19 13:20:46.436 23542300x80000000000000002528993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:24.704{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2F9EE2F078CFB1235F62420F463F7A37,SHA256=93B565EEF49E88801085BC5FEC3EBE963FAE8DB99D98B9A2B815AC8065BC0D06falsefalse - insufficient disk space 11241100x80000000000000002528992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:24.033{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:24.033{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D7C6B3AF9499C03582F1C027E8264C,SHA256=0B07B9C1D6D19F5B6409F034778A9B07D5E0C591F798C8BFC3D05D685987F487falsefalse - insufficient disk space 354300x80000000000000001563249Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:17.691{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22334-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001563248Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:24.021{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563247Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:24.021{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002528996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:25.051{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:25.051{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5504B8DDB32525BAF32CCC008F8553,SHA256=DBF3FB087D2B75BB539390BE653F42707DA3599A6CA40F67CC7F700FA4D63935falsefalse - insufficient disk space 23542300x80000000000000001563254Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:25.396{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121342FF81681D40FE5EBF16CBBF9029,SHA256=9641D9F80F3573168480C70C6E833BC129247B7C74E1728802C2675E5E88B826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563253Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:25.035{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28FBA022267CFC10B790DB8E1060A148,SHA256=89478EB6CE642DA2BB89388D4C3E3DAF7C12D007BF67D5F0E1699CEBBFFBDF17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563252Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:25.022{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563251Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:25.022{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002528998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:26.054{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002528997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:26.054{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4CD3D9A696FF27C7FA92FE98AD2DD2,SHA256=2F97015C0A9E7BD962C93C1A9BE919364777AC99688DE31D8BF7506F14C981F5falsefalse - insufficient disk space 23542300x80000000000000001563258Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:26.400{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E47AEE055535FFF8E8B4589DA8B0FAC,SHA256=B136CD7F0507668FE058CE9743AC4D18A65C594E8DFC79AA1F9808B787EDFA26,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563257Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:19.535{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22335-false10.0.1.12-8000- 10341000x80000000000000001563256Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:26.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563255Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:26.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563261Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:27.408{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DFE0361338ED26ABACA271C9DA7A5D,SHA256=361B79887D3A52E26DEA81FEAE3BA8CC4E78F8A360F62FA417DBA21EF34E05F8,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002529006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:33:27.773{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x80000000000000002529005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:25.556{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50722-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.125{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 11241100x80000000000000002529003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.125{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.125{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A969F631A8607F63D89E163F56659D00,SHA256=30A96500D771052D0B5C6B625C67400BD3303489C6D2FBE31B2ADC1BF42DC412falsefalse - insufficient disk space 23542300x80000000000000002529001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.125{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A9BE6BA7B5AB9B483842C244826D18,SHA256=CE4BBDABCE39AA6B86E0EAC544686B9A6A6BAC684CC44E45C4B2A56222172272falsefalse - insufficient disk space 11241100x80000000000000002529000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.125{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002528999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.125{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D76A502E6BE657BF0CDE5754E8933F2C,SHA256=1123FBA1395ED3515A670BFAD3193A1460A78A963BAC1BB7FB6F24CAEC4C1AD5falsefalse - insufficient disk space 10341000x80000000000000001563260Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:27.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563259Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:27.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563264Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:28.421{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F503B9FE10AAB41735A9691382131C,SHA256=D05E6029AF59DA13C0B1A5661881945D9258C24A41581CB45A04B1E53E0F9B5E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:28.894{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:28.894{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A969F631A8607F63D89E163F56659D00,SHA256=30A96500D771052D0B5C6B625C67400BD3303489C6D2FBE31B2ADC1BF42DC412falsefalse - insufficient disk space 11241100x80000000000000002529008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:28.127{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:28.127{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D801D501C2CE8B051A8B2309FD6217,SHA256=CEF175F9646B8C3676D7E437FC3EC21A785E7361325876E92AD6E055AF7C1FA6falsefalse - insufficient disk space 10341000x80000000000000001563263Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:28.024{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563262Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:28.024{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563267Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:29.426{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6368275AC34575B10A4B1CFAC36B337B,SHA256=16A00D738A25D97812D93025BA3C41DEB829ED127A48B9728AF9F49ADB599F05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.246{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50724-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002529013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:27.242{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50723-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000002529012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:29.161{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:29.161{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A4F319DB29952B8F806F26AC30AF94,SHA256=20FA630D696DDEA5FD274FAF68BA557FC5FF2481B26DD5A3287D4E31F021F8F9falsefalse - insufficient disk space 10341000x80000000000000001563266Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:29.025{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563265Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:29.025{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563272Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:30.435{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A423FC2AA22803ABFBF145A605708953,SHA256=C776980B3538A9F4DFEB5BBAC997655A1CB2AA4EC515E10F89A917988B4A21DC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:30.197{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:30.197{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A5721EB51DF983D344CEDD5DA727F0,SHA256=9FCA8ECFA2098D482BBA93B442BFF727D19E2A20A50547F6A14F979C6C5DFC87falsefalse - insufficient disk space 23542300x80000000000000001563271Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:30.166{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDCF91A7EA49D439BF3A03139A4B5811,SHA256=D000F6EA649C1698016587435495227875F70D8A1CF644F67496D67B85B5E25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563270Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:30.165{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65FD28C802B14C6217BBFA96E687C763,SHA256=093A56FD94570A89ACC15173C55E77EE02395F0153D6CCE868FD2273D9D3B8B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563269Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:30.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563268Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:30.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:31.219{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:31.219{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F72E63CE1D650C210E70F310E4A55D0,SHA256=23EE65B6E7ED2AD2A1146ECCF49AAB9CF0D5A17C4E75931D88F52F1275DD644Cfalsefalse - insufficient disk space 23542300x80000000000000001563277Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:31.440{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5890143C0825A04C41EF7BD91D55C5,SHA256=9169E3551F28ADF322142BD239F0C764D08F4D32555706B5A1E2C60669E563F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563276Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:31.195{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDCF91A7EA49D439BF3A03139A4B5811,SHA256=D000F6EA649C1698016587435495227875F70D8A1CF644F67496D67B85B5E25E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563275Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:24.666{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22336-false10.0.1.12-8000- 10341000x80000000000000001563274Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:31.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563273Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:31.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563282Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:32.447{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50005291A76914FE4E4C35BDBD72587B,SHA256=0AB1C8A0DACDAC9AB0EB68A2F77E7F595C7F92EE588EF079E894108BF8F57A94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:30.569{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50725-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:32.222{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:32.222{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4D06D3C443F91D5ECDA1F84BF2B7B3,SHA256=B8E1586AFA348600D53CA9838AE334A48DE76B5796644580609D1D1A7E7BAD7Dfalsefalse - insufficient disk space 11241100x80000000000000002529020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:32.137{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:32.137{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EDE6FD13A352DEC9D8F765708F90308,SHA256=EE0A4B68CC05AC7FD10F12A9F99327092F5687782AA07AA566779B05E0F2F2F1falsefalse - insufficient disk space 354300x80000000000000001563281Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:25.688{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local22337-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001563280Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:25.688{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local22337-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 10341000x80000000000000001563279Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:32.027{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563278Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:32.027{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563285Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:33.456{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2A1F9DA56552BCA4A0701CDCFF75DE,SHA256=50F1421C773E08DE8A0E1E545B5A46E02B2FE2143ED91D1CBC75B848BD9A100A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:33.224{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:33.224{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1740F0F09E64CCF70A8A394213FCBB4A,SHA256=2CF44C0F8CEE6546DF44CBC3FFABB4A599ED0281C8714E4B342B47B62B43D62Afalsefalse - insufficient disk space 10341000x80000000000000001563284Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:33.028{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563283Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:33.028{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563289Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:34.876{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=028430C3E74403ED189590BA9C0A303B,SHA256=30B5BB517203AA8BB756A5F9FE710F3EF0FE6E1A182AD098B183831A7C2F8080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563288Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:34.479{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6472E8FC2EE15255A6A9445A7182BA,SHA256=323A60ABE679C4F552D3C9550C3D29C8EFFB6A8E716DA4527F7A5BB4D58B8434,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:34.227{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:34.227{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D006A4EDD7CDDA10E30CCD7566856F,SHA256=E6886AAC5D0E1718769E8FE5B56EFE00A29128DAC16A964CCE505D6A15FB348Efalsefalse - insufficient disk space 10341000x80000000000000001563287Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:34.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563286Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:34.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:35.376{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:35.376{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DAD4D0B791EE000AE1D9F91C9CA451,SHA256=2E7B7389232649EDE677CC5C152384A2897A1A8D240C2CEF7D70250164ED9015falsefalse - insufficient disk space 23542300x80000000000000001563292Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:35.494{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC46DEDC038F5124252FD308EACCAAB9,SHA256=52EBA82A208478BFFB653E60CB8C6C7CA07BD501FEF6ABB41DFA93827CCB706C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563291Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:35.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563290Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:35.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:36.612{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:36.612{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3D1ABF6B0C108CB6E84D349E633DE5,SHA256=B332A6C3D6507300BBF910E096391FF1DB83577C563E11FFA3252F85D5B365CBfalsefalse - insufficient disk space 23542300x80000000000000001563296Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:36.507{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04FD83216EC3F78A087395915C6AD38,SHA256=026EAF60FA85208037E2453F1F11D9A4217D09A331E969F476541B9207A62A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563295Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:36.092{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8F82FCC15675F28F9D097543CEDF6E,SHA256=8EFA3DF7B7E7BAFE378AE504449EF5ED9736F882B382B38C3D86B4272A455D0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563294Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:36.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563293Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:36.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002529038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:35.580{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50726-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:37.634{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:37.634{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669FA8868CD31DA8C7FCB503CDFE6D44,SHA256=C51AC6F5D2189B8481E851E90008C254C8B22FE8652281C5541FD9C575FA37F2falsefalse - insufficient disk space 23542300x80000000000000001563300Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:37.512{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57B855628FE51C0C09800F06D1C28D7,SHA256=75400F633E4ABAD34BED0C93439F1962563CD43D2D7265B90915650B2C181EC3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:37.182{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:37.182{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54E2FDA5BF1EA27EDCE0EF99E07B994A,SHA256=270638BE296FC912B1091A6349A5F8A65722C77381D7C801F195C54711A91365falsefalse - insufficient disk space 11241100x80000000000000002529033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:37.182{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:37.182{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3197FD0F2AF39F102EAD44353E8A177A,SHA256=D362FCDE2CFBCC3ACE7611538A187267C5788B24A12176D170463A12DE6EE57Ffalsefalse - insufficient disk space 354300x80000000000000001563299Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:30.575{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22338-false10.0.1.12-8000- 10341000x80000000000000001563298Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:37.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563297Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:37.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:38.768{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:38.768{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592F3D12A30403C0FE8DB86A01DAA769,SHA256=784853232BE95CCF69DD0D4703AA58C35E22C016826B46689513EC9CAA71C56Cfalsefalse - insufficient disk space 23542300x80000000000000001563303Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:38.518{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8435B755724987A171C7B29818843FCF,SHA256=73135C3BA5AF5E0BC638F9051AF491824899FB6139ACF4ED794D0139B738A812,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563302Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:38.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563301Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:38.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:39.955{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:39.955{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD6F21288CC2A86A2ACE1D541B81684,SHA256=F113D7EA606BC7D6100FA5AA7CD8B378EE0A7C550206164E468A30EABEF6D2AAfalsefalse - insufficient disk space 23542300x80000000000000001563306Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:39.521{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CF83FF0643B8AEC7C03B23A59DAE31,SHA256=B4AE8820329B82BDE0DBAB4D31E3B8092C7C6C3384524D5DB4515DC97E1A7218,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563305Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:39.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563304Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:39.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:40.958{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:40.958{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53BA495317E8B3022EC40BBAE6462D3,SHA256=0EC504B779B57E8BE86AE1EC381AC28ADAEA58DA57A049BB59C9F1A82D4541D5falsefalse - insufficient disk space 23542300x80000000000000001563309Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:40.529{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02130AC3DA9BAA7CB3E03A41823F987,SHA256=806A17B7ABFAA98D5CD666603B4BE8DD2654DA1D9779C28479B38A94FDA526E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563308Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:40.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563307Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:40.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:41.960{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:41.960{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAD0A11D31365011EBF118719E3BF42,SHA256=B9CFB772743CC6193B400D80968641943E950E0B6B97DC762E033B8AF85D2985falsefalse - insufficient disk space 23542300x80000000000000001563314Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:41.552{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6E9516E6ADD6A872B84365CA32F4C7,SHA256=2E1E4EDCB0D3A6DBF36F2300FB3D6EC4DFF6370B317196F4024DFD874C9124FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563313Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:41.214{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F67D1A0EAC7870437EC8E36657F4BD2,SHA256=2696FF3527C6F9FAE5B295D1FD16130285C019B0F5F60760A521D44FB5BA2689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563312Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:41.213{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C42E6F4BC1FA6ABDA6615F2362A6AC12,SHA256=12F102A9340B1EE293B7E1575301085E65BC6D96C56501395F228DBE743652B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563311Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:41.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563310Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:41.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563318Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:42.558{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFA90F7232B4B60755E6DCF8ABB2341,SHA256=7991FA1DAE858AEF5C057683C5502E46C08F6C22572BE05C9DF69ECBAF875632,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563317Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:35.705{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22339-false10.0.1.12-8000- 10341000x80000000000000001563316Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:42.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563315Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:42.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563321Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:43.561{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5395A8E2E6543878784F68C882593CB,SHA256=50BFDB0C06E0A05DFA1FCB3A2D5CADDD6AD665051514C6161CF39005098403F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:41.613{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50727-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.695{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000002529053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.695{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 11241100x80000000000000002529052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.263{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.263{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=173DEBF31B8CA2D900D9121C2A611BED,SHA256=361FC2706C866DACF5C017421A747158D0A58AB3E1CBECEFC15869E236FD8436falsefalse - insufficient disk space 11241100x80000000000000002529050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.263{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.263{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54E2FDA5BF1EA27EDCE0EF99E07B994A,SHA256=270638BE296FC912B1091A6349A5F8A65722C77381D7C801F195C54711A91365falsefalse - insufficient disk space 11241100x80000000000000002529048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.028{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.028{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B61857662FBDC8AD993C886ACF76764,SHA256=5275A34A47E81E84F421D899CF2C8C46B6ED4E4089D2B2D2D92D3CF4543CE321falsefalse - insufficient disk space 10341000x80000000000000001563320Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:43.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563319Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:43.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563325Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:44.568{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D485BBE8810F323769A20333A0484E5F,SHA256=9277570940F7D8FE0E3E029FCCFCEEC7DD12AFB8E27064CE7560E21165841157,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:43.148{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50728-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000002529059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:44.682{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:44.682{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=173DEBF31B8CA2D900D9121C2A611BED,SHA256=361FC2706C866DACF5C017421A747158D0A58AB3E1CBECEFC15869E236FD8436falsefalse - insufficient disk space 11241100x80000000000000002529057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:44.065{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:44.065{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CA07CC0E2BD86B04ACC09728249A0C,SHA256=95B1971217278C2B00E672CE400935B23A11520A45ACBAFAF77A5205CC0CF089falsefalse - insufficient disk space 23542300x80000000000000001563324Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:44.359{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F67D1A0EAC7870437EC8E36657F4BD2,SHA256=2696FF3527C6F9FAE5B295D1FD16130285C019B0F5F60760A521D44FB5BA2689,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563323Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:44.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563322Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:44.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563329Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.577{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218B77671DC0F5703A1163C54E01A225,SHA256=11319BBF786575C512E82E5289032B9F8DB7D9218C0DA2240574D71E16E08B71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002529107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002529063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.653{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.083{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:45.083{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA046B7C70F0DBE6EBDE96E0792F14D,SHA256=C8A3DC8AE3F8D4B1FA3A07C7BDAE32F22C9C02FFCED05D9FDCCA6D5C7CA1A71Afalsefalse - insufficient disk space 354300x80000000000000001563328Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:38.840{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local22340-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001563327Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.033{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563326Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.033{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:46.772{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:46.772{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F598A77FE0DD246ACFE32CDCF22692,SHA256=6C4FA4782BEA2281A376FBB50E108F9A94400D17747E46775783F932FF14DCA5falsefalse - insufficient disk space 23542300x80000000000000001563332Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:46.582{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A51D11BB78E00BE61B9C6332319C7C,SHA256=3D56EAEA8CDC5BB108220744B505AEC71E070273E7517A554E80044B9C8A3C90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563331Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:46.034{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563330Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:46.034{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000002529113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:33:47.805{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\syswow64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000002529112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 18:33:47.790{21761711-BD9E-6081-3387-00000000BB01}2852c:\windows\syswow64\windowspowershell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000002529111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:47.774{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:47.774{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082D435CF6BCD8868E9DC6C6CEB7CD81,SHA256=039EBAD47AAFC63903E79365C76696476D8A27274C586EB87BA2C4B45CC5F4DBfalsefalse - insufficient disk space 23542300x80000000000000001563336Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:47.585{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C6BE75D318DCB41E060A88973BBCBA,SHA256=2FA7421D645DA7B3E614F61B000103F8E29D07BE24AA529B283F8FF017FEF6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563335Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:47.115{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14117C3B388B1C121BEB0DFEFEF7DC0B,SHA256=A35D3133070A903E9F7175BC52F3210D9D3FAE67088ECC747300BB95EECB9F31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563334Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:47.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563333Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:47.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:48.792{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:48.792{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB316320042CC1817C0800AD0ED19B7,SHA256=5BCD265F5C55EB512F422C1A7C52643FB3321208CB22D0FCC878361E47AF2D7Dfalsefalse - insufficient disk space 23542300x80000000000000001563340Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:48.590{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EEC01C3BF3420B4F531C4613B0D468F,SHA256=193BFC2EA328D5E656714E5EC194EB1C65085C062BADFBF5DDDA21C940F2CA0C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:48.159{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:48.159{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=024DDC6FA9B140330910351549740533,SHA256=6ED84CDF105A4BF3AA991E5E52C9FBF0D23FACEE3F217FF377F8E863D6FA579Cfalsefalse - insufficient disk space 354300x80000000000000001563339Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:41.594{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22341-false10.0.1.12-8000- 10341000x80000000000000001563338Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:48.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563337Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:48.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:49.794{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:49.794{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFD603371311D1D8DBECDA1F5FAE826,SHA256=DE7BC18C6A5F0C244D4259AA97E6685E9154190CB6BD79D1B5DB84313EE0D895falsefalse - insufficient disk space 23542300x80000000000000001563343Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:49.596{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBD5C5DFEE8BF5AB58B5451926BA0CC,SHA256=7257AD16F7FBD8005BBF6D1ED32037C638BFB8A4E4BFCCE2BF8EA12078B8C294,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:47.274{21761711-C14F-6081-B287-00000000BB01}788C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50731-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002529119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:47.259{21761711-BD9E-6081-3387-00000000BB01}2852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local50730-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000002529118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:46.625{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50729-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001563342Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:49.036{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563341Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:49.036{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:50.913{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:50.913{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55C0DA891D3F49B3DC25F17D77B6608,SHA256=127B5457C807146BD3586F262508E331EA7D173A37BCC34A53892919BA10B06Efalsefalse - insufficient disk space 23542300x80000000000000001563348Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:50.983{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EB358BA6FF4ADBA9B88D159614EEA3F,SHA256=43E41A744575D06AD0F51466B654E3A488B7518E90C60E3FDA7EACBC879CC0F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563347Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:50.600{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85D3740C449054D5CD94AFAD139AB48,SHA256=CA85309488F41557B19FC6020BDA3BA7ECF083FC4C2E42F2B2EA2FBA01003E60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563346Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:50.037{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563345Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:50.037{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563344Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:50.025{761B69BB-818A-607D-0B00-00000000BA01}6326220C:\Windows\system32\lsass.exe{761B69BB-8188-607D-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x80000000000000002529126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:51.984{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:51.984{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D463A6500DFCB64118F696A7AD6F0DA7,SHA256=6A92CD35BB2F1FECF9B49CCE77A7A8884775AE81E36E0BB0A6D3B4915AB9BC6Dfalsefalse - insufficient disk space 23542300x80000000000000001563366Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.612{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10835699C98F1ACA7C22755AE1AF5C66,SHA256=19D3218442A4D5C1C128231235AB49BF269A1F92076F755AF482280974619562,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001563365Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.529{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22344-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001563364Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.529{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22344-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001563363Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.432{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-982.attackrange.local22343-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001563362Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.432{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22343-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001563361Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.425{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22342-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001563360Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:45.425{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local22342-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 23542300x80000000000000001563359Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.159{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563358Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.159{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C18F-6081-2586-00000000BA01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563357Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.157{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563356Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.157{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563355Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.157{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563354Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.157{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563353Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.157{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-C18F-6081-2586-00000000BA01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563352Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.156{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C18F-6081-2586-00000000BA01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563351Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.155{761B69BB-C18F-6081-2586-00000000BA01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001563350Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.038{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563349Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:51.038{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002529128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:52.987{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:52.987{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC632DA4890B6D77ADD3794426AC20FE,SHA256=32727A245650ABD7FDC81CF02F02661B035EBAD10E3021EC1E8747684AD2707Afalsefalse - insufficient disk space 23542300x80000000000000001563371Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:52.618{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85A8A3144D6A341630FB50F134A01F9,SHA256=B7A93A41913592831171E4AD762A3F849AC1A33885129069C556A7320CF52CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563370Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:52.276{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7BBB92CBEE4C0159ADE46F446D29FEA5,SHA256=AE2107C5C9F24D9680B8F9F6578547741C30DB1615017DFE2A67E115E375D72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001563369Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:52.162{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27AFF385E0CEEDE30F013E62CD4360BB,SHA256=27552C7AB164D2D02CC36242FE8311326684C13690CAA1E431001E0139DED97A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001563368Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:52.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563367Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:52.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563376Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:53.629{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A588AA04EEC27D07E80825526C5F13,SHA256=30F2AAA8628DF2C72600EB52C5BFA598438A21B93F597387AB45AE7DA9FBD229,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002529133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:51.638{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local50732-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000002529132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:53.172{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:53.172{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EFC7638C0C3E3BD03A8399FC67C5A84,SHA256=58A85FEF11416BAE2EDB035D4EDE87B0C4974C3F1628F463EA92E8A22C0C0287falsefalse - insufficient disk space 11241100x80000000000000002529130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:53.172{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000002529129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:53.172{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D80319EB92C037608838CC5A8B62287,SHA256=8F103984A0FB9C538D26FEA0E16277061E99683BD0DF8701905921203079CA68falsefalse - insufficient disk space 354300x80000000000000001563375Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:46.725{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22346-false10.0.1.12-8000- 354300x80000000000000001563374Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:46.659{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local22345-false10.0.1.12-8089- 10341000x80000000000000001563373Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:53.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563372Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:53.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563379Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:54.633{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5AE6407BEC3831BDC7635376991A82,SHA256=BA599F789C77FED4A016987AB650BE072FB8A15FE7C03FC67295A61987AB0154,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:54.055{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:54.055{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55168588CE73C4B1FF9F6A55DE5E2446,SHA256=95DCAF6457B18D063EDB3E5359A761AA84D5B8321E02CB91136ACD1CF2CBD729falsefalse - insufficient disk space 10341000x80000000000000001563378Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:54.040{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563377Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:54.040{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563399Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.794{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C193-6081-2786-00000000BA01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563398Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.792{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563397Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.792{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563396Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.792{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563395Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.792{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563394Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.791{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-C193-6081-2786-00000000BA01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563393Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.791{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C193-6081-2786-00000000BA01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563392Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.791{761B69BB-C193-6081-2786-00000000BA01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001563391Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.641{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A91719716C692E38794B7B72BEEECAE,SHA256=0392A23E7E75699FB09F2A2A1ED9D5FC557659F11A27F58F435DD2DB9355A6F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:55.092{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:55.092{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ADD580251D6EA95C7E29E768AA8240,SHA256=CAC615CC56D98EED101A82DEFA463F4A06827E5B8DE2F32BD565366FCDC90661falsefalse - insufficient disk space 10341000x80000000000000001563390Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.259{761B69BB-C193-6081-2686-00000000BA01}4206872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563389Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.114{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C193-6081-2686-00000000BA01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563388Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.113{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563387Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.113{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563386Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.113{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563385Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.112{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563384Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.112{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-C193-6081-2686-00000000BA01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563383Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.112{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C193-6081-2686-00000000BA01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563382Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.111{761B69BB-C193-6081-2686-00000000BA01}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001563381Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.041{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563380Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:55.041{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001563412Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.674{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F17E309A1004075328508922E59944D,SHA256=4B8CF518CC31A5558BD856E997F203DC50FCB421712EAF0D725A39E2A66D1001,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002529139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:56.162{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000002529138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 18:33:56.162{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6446E55EBCFA410D07C540A670635F03,SHA256=F16F239B2EFDB11447BD5B16D6A249B0F13FFA33A6D4146F98FFE94F6F37BED2falsefalse - insufficient disk space 10341000x80000000000000001563411Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.454{761B69BB-C194-6081-2886-00000000BA01}66366344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563410Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.321{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-C194-6081-2886-00000000BA01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563409Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.319{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563408Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.319{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563407Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.319{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563406Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.319{761B69BB-818C-607D-0C00-00000000BA01}8445276C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001563405Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.319{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-C194-6081-2886-00000000BA01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001563404Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.319{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-C194-6081-2886-00000000BA01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001563403Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 18:33:56.318{761B69BB-C194-6081-2886-00000000BA01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service