23542300x80000000000000001624298Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:43.043{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B8B68CF1B725E1A6938254D242CBF2,SHA256=29E1A509126A787D3FAB27489C6D6342C10F01E707BF40AE6DF57B6EB84A8478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624300Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:44.339{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D1F87FC414D3B0A7451CAF83E163992,SHA256=A2764BE752BE70B0DF1AE0FBF07C34716E130B96CB9500363B4DEB8EA10F343A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624299Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:44.061{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE1850781A6159AB509578EC73E6ECA,SHA256=68350C299849D698DE10F363FF40344CAD30EDC7016CD17F01F70425C53858F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624302Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:45.777{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=230777CA45E6DBC03AEC7772C5990D19,SHA256=EA86253C722D94BDFEE93411B7061D08504E662D35417D2983083648BF5EBF97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624301Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:45.105{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912E35C7E9B816D6655650C59C3553A6,SHA256=3EEA75D6DA825C2CBC3A38A240BA3BFA3488FB2FA3AC47893E840D50C942FF2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624303Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:46.121{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715995A8EC474CB8B25D4032EFC69E00,SHA256=E5005B3326407F7AFAF5A7CFB6163021729D96A67794F2F74223385F1CC5E0B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624305Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:38.844{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60025-false10.0.1.12-8000- 23542300x80000000000000001624304Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:47.154{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=200C77495B5D88FD8366C57D20DA5445,SHA256=D144760CB72BA42BF9273A13887D5FA37B10AD17A57354B10AA5605F6750BCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624306Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:48.158{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A8B8958B8880555810F6400E86C4C2,SHA256=FC65D39DEADDF63F5990B69031AE15A12E7BB6A9641BB167DCDAFFCDADC63541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624307Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:49.183{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3D340F855C979BA03CD07181607FC5,SHA256=8E6C795DB25711C06901E229DDBF9F4554F14FD45AFB18BAE0619D521D9F9760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624310Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:50.621{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C65C2F483C5448F5C2C6B943FB2216A3,SHA256=5A196399462CB390DEA4DFF7E6D33C9F286160A854242C71EB7EB5C5015FC0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624309Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:50.215{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0F953DC508F515C121188BC0862712,SHA256=BABF59D373009F8E0BA01364E9964E60DA34DFCD36B3C61950F972CBDBB3B303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624308Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:50.059{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AD40A3788AA86CA0EF40E1533C8B661B,SHA256=A82D6F661744C0480FC9F0B83CE9B041EB442938758FE19586ED0163E09C905B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624311Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:51.264{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41506BAA510958089FF3D33A4271AE5,SHA256=B314186CA5659E21EFD05946018E4A9888BC3C99D7DEAFC29AAABD728455FE4D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001624324Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 19:38:52.902{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001624323Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 19:38:52.902{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x101dc10d) 13241300x80000000000000001624322Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 19:38:52.902{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70eca-0x205e5408) 13241300x80000000000000001624321Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 19:38:52.902{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d70ed2-0x8222bc08) 13241300x80000000000000001624320Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 19:38:52.902{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70eda-0xe3e72408) 13241300x80000000000000001624319Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 19:38:52.902{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001624318Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 19:38:52.902{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x101dc10d) 13241300x80000000000000001624317Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 19:38:52.902{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d70eca-0x205e5408) 13241300x80000000000000001624316Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 19:38:52.902{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d70ed2-0x8222bc08) 13241300x80000000000000001624315Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-SetValue2021-03-01 19:38:52.902{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d70eda-0xe3e72408) 23542300x80000000000000001624314Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:52.308{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12275A1C3AF92BF081CDDEB04E71972,SHA256=403555CA49983023BA7E7344AA2924D1467C2F968C404DE41711EBF7CB9035A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624313Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:52.230{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=966CD4CCAE77AB8CA7199E264B7DA2FA,SHA256=EA9FE7C69FD8FCC56A068CCB328B97BD2ADF70D388997171BF190C213D36C179,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624312Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:43.907{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60026-false10.0.1.12-8000- 23542300x80000000000000001624327Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:53.340{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F59EE7EB961FB0779DB0367FC8353C,SHA256=D87C4CFC753E930D8F7BE265D25F01957583B62C6F524D823CE0AD1DD65DBC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624326Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:53.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCC14309FBF77D539151B8C25C6E17A6,SHA256=D83C115F1533F7055BC81A014E71B827B3B2ED204A382FB668952B11CB255E4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624325Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:44.969{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local50829- 23542300x80000000000000001624329Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:54.367{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD5B9DB4E7920881B24B4C77CB03B60,SHA256=A19B968F8089A66EFFA176EDBF95A69C894068A2AA0AE3F695D6BCE07830F713,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624328Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:45.984{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local50829- 23542300x80000000000000001624331Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:55.449{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC250E5ED1A653855F99C04E6A52DCD5,SHA256=DB872D8B9ACA40C4397D33819EFE99BCCEC5CA2F6273DB18B3DF80FD74427A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624330Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:55.362{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624333Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:56.467{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89069A451EA665AE8D5F55282F96C0B8,SHA256=320FD43806D2E5FB7C1B315014059ED0326011FAC6A41423AC3308D3070690D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624332Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:56.067{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E1738ED1CB3DE1107A4804C045C667D,SHA256=12ED3F99DBDAF3443F97E9C34E7BAAC6027ED55E80CF9CCF5DDA31810B5BA07C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624336Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:57.496{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEDC8BD4D3EF770620DE4D4D825F419,SHA256=ACADA5AD0F1DE6434BE312B00EB3EF9C31CF1840F4542575D2A94E2425A49119,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624335Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:49.110{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60028-false10.0.1.12-8089- 354300x80000000000000001624334Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:48.985{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60027-false10.0.1.12-8000- 23542300x80000000000000001624338Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:58.867{05ADC7E1-7946-6039-1610-00000000AD01}3144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9unhrnfd.default-release\datareporting\aborted-session-pingMD5=B4ECF199A9E55A7C6DE905CCA8C50318,SHA256=09FBCC0D41E0B7D0FD76149F86B31CE83DFEE02FAA5024FCF9B760F685A2E484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624337Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:58.527{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367938336402555C2B511889B5544365,SHA256=7B11DA3B2874E5E1CD02065240F59FEE05BB5C1D972BEC550964E45F15C965D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624346Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:59.777{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965400C:\Windows\explorer.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624345Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:59.777{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965400C:\Windows\explorer.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624344Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:59.777{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965400C:\Windows\explorer.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624343Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:59.768{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624342Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:59.768{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624341Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:59.768{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624340Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:59.768{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001624339Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:59.561{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4A0499020FAC70D9ACDAAC37ACE898,SHA256=CFE1626BFFA326136F60CB5CA70B6212B1634540A8F14E4DB68BD06A02A578A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624348Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:00.590{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEB92382455210DC28AF12A13C47FD9,SHA256=C181F17F59C33DA414CEBA87501E99385CF5C6738572E874367CB1A132FBD903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624347Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:00.293{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96E965E8D2F0FE8AC3D166BBED3DA677,SHA256=3D578755751030840823EDB27577A4F7F433F979F07616B6DBBF08483E62C897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624352Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:01.793{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=963048F2549B60E433469503153BC026,SHA256=CC0F7CD2D1BE62752CEB72630C6CF39EC6B546E33A799C13596DF364187E8A46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624351Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:54.016{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60029-false10.0.1.12-8000- 354300x80000000000000001624350Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:53.531{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local58459- 23542300x80000000000000001624349Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:01.605{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31F579D1A1626F344E5379D198C8BFC,SHA256=35AEDC16796F0243788612571D5A02992629DAA350213CA7E95087F36CA4B6FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624354Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:54.546{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local58459- 23542300x80000000000000001624353Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:02.656{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53162F6F6C542EBB7EED03AD0CA75725,SHA256=C835D34F4C0B46EB410BB5309B0458116B2B959ABC0251D018B7CC21AFE647B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624355Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:03.683{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E0C77AB5244490D81872BE033FD8DB,SHA256=2699AE79B8F78A109FCB45243925EA7F76B05C2DB20C72D41E35118D6C668847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624356Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:04.699{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=492183AA8EE4B2851AFE3DA19C9CB1F1,SHA256=6D73D3BCFCEF3E76ABF070F1EFAE1008429137E56EFFC737717A9A78F274AF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624357Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:05.715{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9492B8954BCAA172BC72B8E324708F9C,SHA256=0882EC825624ECBF97F31EB12A4BD04532D30893A46886E6FD51126096F9D542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624358Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:06.746{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF305590F1F7E46F951DE582E312581F,SHA256=B8A90031C1A9563048BE3B7D896D0A99E0E07CB143F287F54A04A38F4B7CED44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624361Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:07.765{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE0D8776CD0596AD929DD5112FB5E54,SHA256=5211842C65A32A0D6E6D46D6901D4E84CA26D1B8EBD661387D5F03BC03266DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624360Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:07.159{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9EA28DEFCED2291D8D24647A5B86898,SHA256=40E6AA9E14EF65D82EE967C35508E9BCA4B228F2ECE5B720C64152CCE86D4325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624359Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:07.158{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C755B561B72AAFD241F451C5BA44AB8,SHA256=F8AA3EE1DCAF80EA17C2356430213672C971F165200F01271191D2F4E894F64F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624364Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:08.808{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9EA28DEFCED2291D8D24647A5B86898,SHA256=40E6AA9E14EF65D82EE967C35508E9BCA4B228F2ECE5B720C64152CCE86D4325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624363Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:08.777{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E1963958068AA55201316F639782B3,SHA256=A2EF7CB583EEA0EDECA4304A91880D5BBAD6A6FDB703A6D9460245E2C3301033,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624362Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:38:59.844{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60030-false10.0.1.12-8000- 10341000x80000000000000001624385Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.918{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-42DD-603D-3782-00000000AD01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624384Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.918{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624383Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.918{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624382Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.918{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624381Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.918{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624380Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.918{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-42DD-603D-3782-00000000AD01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624379Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.918{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-42DD-603D-3782-00000000AD01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624378Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.919{05ADC7E1-42DD-603D-3782-00000000AD01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001624377Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:01.546{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local49761- 23542300x80000000000000001624376Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.824{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E569A4228EFC3B4CA16764DB97CA8BE3,SHA256=3BDB612D42E4AEFE929A60AEDF43D8FD5C80F873CC23179C24F49146028C7BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624375Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.808{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3627553B788C54C326F28C7C41D3A0,SHA256=4AF788A0076C48BD0B7331F38163216E91BBDA9E9147A5E7A7CCA7F08C1E7F59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624374Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.418{05ADC7E1-42DD-603D-3682-00000000AD01}24805108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624373Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.246{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-42DD-603D-3682-00000000AD01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624372Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.246{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624371Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.246{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624370Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.246{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624369Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.246{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624368Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.246{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-42DD-603D-3682-00000000AD01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624367Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.246{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-42DD-603D-3682-00000000AD01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624366Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.247{05ADC7E1-42DD-603D-3682-00000000AD01}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001624365Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.215{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=C1EB78D94EC1EA427B83F199E63224C9,SHA256=9895E73A734A72463309A71F337436BA7D36ABC865459F916D24C1D2F5300FC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624396Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:02.562{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local49761- 23542300x80000000000000001624395Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:10.949{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE267FB257C5BA57F2FCE4E32021590E,SHA256=D871A42CA2C7DDD23FB8802730D84A8176955FA6D621AD4F9C8C0C0BF9044A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624394Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:10.868{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DB01964ECF40EE89F3CC7E3FFCFBC1,SHA256=644710C3B53D6AB886353145D184D3A3F611D2A9D94341D975C6B8F3C9F932F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624393Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:10.590{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-42DE-603D-3882-00000000AD01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624392Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:10.590{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624391Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:10.590{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624390Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:10.590{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624389Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:10.590{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624388Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:10.590{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-42DE-603D-3882-00000000AD01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624387Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:10.590{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-42DE-603D-3882-00000000AD01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624386Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:10.591{05ADC7E1-42DE-603D-3882-00000000AD01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001624406Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:11.968{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1144B2600982D552D47A67F05E2E11FA,SHA256=8473E601E87A51F35306B6A1B52CCED65C9394937811A4169086D3742BFBEAA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624405Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:11.449{05ADC7E1-42DF-603D-3982-00000000AD01}53724652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624404Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:11.277{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-42DF-603D-3982-00000000AD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624403Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:11.277{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624402Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:11.277{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624401Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:11.277{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624400Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:11.277{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624399Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:11.277{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-42DF-603D-3982-00000000AD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624398Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:11.277{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-42DF-603D-3982-00000000AD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624397Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:11.278{05ADC7E1-42DF-603D-3982-00000000AD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001624408Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:12.980{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524DEF06EB94D9D90ED28A3E2C183FB3,SHA256=2A2323B2314043AD6022028ADE0E5742342708764D9BE336DABEFCE216A183C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624407Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:12.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=478450D4A3F448BF89F1BCF759AFBE93,SHA256=29F9A82034EA22F1143967B111CF4D71122E8B54587394537C502A2B9B5112FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624418Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:13.867{05ADC7E1-42E1-603D-3A82-00000000AD01}56566340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624417Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:13.668{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-42E1-603D-3A82-00000000AD01}5656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624416Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:13.668{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624415Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:13.668{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624414Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:13.668{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624413Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:13.668{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624412Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:13.668{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-42E1-603D-3A82-00000000AD01}5656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624411Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:13.668{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-42E1-603D-3A82-00000000AD01}5656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624410Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:13.669{05ADC7E1-42E1-603D-3A82-00000000AD01}5656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001624409Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:04.969{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60031-false10.0.1.12-8000- 23542300x80000000000000001624429Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:14.683{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=147F02752D164CA402B66D4201B04FE6,SHA256=D8E655FBD27681DE4F37EB0110942D8FFE28FA27545B1A793C4AFC0BD4B445A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624428Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:14.512{05ADC7E1-42E2-603D-3B82-00000000AD01}48884724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624427Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:14.340{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-42E2-603D-3B82-00000000AD01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624426Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:14.340{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624425Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:14.340{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624424Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:14.340{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624423Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:14.340{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624422Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:14.340{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-42E2-603D-3B82-00000000AD01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624421Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:14.340{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-42E2-603D-3B82-00000000AD01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624420Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:14.341{05ADC7E1-42E2-603D-3B82-00000000AD01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001624419Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:13.996{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A26A5D78A8407DED9F86408B2A8D118,SHA256=47B7961077D9364F80AE5E95133E9033749B8C86C265A7BABC700BCC4A748A5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624438Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:15.160{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-42E3-603D-3C82-00000000AD01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624437Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:15.157{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624436Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:15.157{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624435Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:15.157{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624434Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:15.157{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624433Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:15.157{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-42E3-603D-3C82-00000000AD01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624432Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:15.156{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-42E3-603D-3C82-00000000AD01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624431Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:15.155{05ADC7E1-42E3-603D-3C82-00000000AD01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001624430Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:15.012{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3996F5C01AA7E2FD94C56E9B3F50197D,SHA256=E2B893429F3877B9645017B80A57B235717B5565DBFF7A6C266690617F3B3BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624441Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:16.230{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-03-01_193909MD5=D32A1B8C36F7315328311C519F7F6484,SHA256=ACD6E4364286923F55F21F361932CE17254062CCDB4B61D4FF7AC1E3DC372AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624440Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:16.215{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68303FE279732A402DB878207803205A,SHA256=57A10048970EE1255513D50D47786294E0CA84945FFC03B62B130F4D6D330731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624439Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:16.065{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EDFAC36A6935E09E9DF666D8E534BB,SHA256=C66D97622CF36495C7CE56ECAB8217DC81F5C71F5A156A292FB8DDB0877F662F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624443Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:17.266{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F8C74FF63F8D98717A6A5BAC62BA812,SHA256=60C5FC1D57DD23F91E2D15FEEF1AD973312BC0B7BE4CA5AFC5572046892F3CFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624442Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:17.121{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253A1D02C01169F6A80B9A36995B31AF,SHA256=10EE9B1ADD9F5ED26163194B22D262BE9C51EDB36BD94635F8D1BA1C65F2D9C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624446Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:18.308{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC367561E0E510C152D6D94049585D48,SHA256=792BC9EFAE5008ED878DDCFE8F1C71306461564BDADFB01BD970A2DCC1A79837,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624445Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:09.999{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60032-false10.0.1.12-8000- 23542300x80000000000000001624444Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:18.137{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B1EECD30E685FBF4C03486E93D2713,SHA256=F148D151B2B9A247EDD9D44516AD47E2075EFEC5CCB000ECC13D6804A468A871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624447Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:19.156{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6530598ED28F3163AAFAA9CA820DD4A1,SHA256=D17942418D70B1C7FE535DE37B1843255C5DC393CDDB25341A3C4F4154DE8314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624448Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:20.183{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FBC178A940857ABBE6DAD476B79FB29,SHA256=8DAC925AE0D32E9AC7D2E7941394AC03E98E6D4ABAC84D2496B7A466618CB954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624450Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:21.340{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30C35908558CB544235D491F9DCA2DA3,SHA256=621B098D78FDA09DE91F11494D6B8CA99FE70073097B042EDA328B9C71EEBBA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624449Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:21.215{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB02EE7D877CE2812D87C969D255FA78,SHA256=132D347097CC18185D1256718AE146F67B765D88FF20ED69CC0B3B455EEBBBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624451Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:22.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CB418BFEFAA7C35443C7ACDBE7B5C7,SHA256=5DD946B9830DFD1C206BF6BDCAE52955DB0BF78655E70CCBC3D6613E393CBA6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624455Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:23.293{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10753347C5D6D3C9181E8B1A139BCF88,SHA256=9E60F8C36439F7DF5AB4E1367DB1206787B7EB47469A68F2102884B6EC0047EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624454Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:23.246{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-03-01_193909MD5=B0760232D8D224E9B00D11582918C23D,SHA256=B8F7B0E572E1BBDAE56E973F8E618522B5486B901718573CC4272E7B575217C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624453Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:15.859{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60033-false10.0.1.12-8000- 23542300x80000000000000001624452Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:23.156{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60A9CA1BCE9D4EF49A48BB9B9BB3AADC,SHA256=AE584AADC83D47A941D35EDC5589F7720B1CAED42D58A6E23E235B319AB800B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624457Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:24.715{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72D79D7759413237C9823B897914892F,SHA256=23B3ADFA454E6C2DD9B8DF3DD968FB08B3557B79AAE09B20F6BBC04CFD889089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624456Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:24.309{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FB2ABFF86C6AE1049F39BE2052C9D9,SHA256=8B46050C075840CC24B84A54E8711886569A089BAF1D3217252C62DC032E4302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624459Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:25.387{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8AFE181E8FD6658F0095A12BC911727,SHA256=0EF04E31403B4E9EA05D4D87340DD7A62ABA50E4F19B084940EC1BB071F0C51A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624458Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:17.436{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local59101- 23542300x80000000000000001624461Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:26.418{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C6EA576BE4B6E4808C50F88754E99C,SHA256=F126E141CF231EEB09D0AB6214F234EA1ECFD70FAE91BAAE6138E7D07721C95C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624460Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:18.452{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local59101- 23542300x80000000000000001624462Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:27.449{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07BDE61F0640DDF2C80B68BE3CC7BA3,SHA256=FC668D5E58C90C04531911B5B99BC647AB1CCA5BBCF77EAF23920DC6A7DB2A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624465Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:28.468{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0762648270913791D17C4D5C1CE467E7,SHA256=2A496DFFFEF9A2E0E71FB98B82A6C2D22423E026C780137E30A21A262EDE18BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624464Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:20.859{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60034-false10.0.1.12-8000- 23542300x80000000000000001624463Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:28.121{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3983B5C41C5C80170FF613B24DCA0C81,SHA256=C7DB1AA8E4F27040D98A7DEC675A2E6306146586A76B97522CF7EB6512CAD7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624468Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:29.480{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C44B2BF5F91F0A3ADA2C1513DDED4B0B,SHA256=8DE7E85F907CB8914C531C3599AC4FA527FC89A4372ECE158131CA39D15CCF05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624467Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:21.172{05ADC7E1-229D-6039-0B00-00000000AD01}852C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60035-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 354300x80000000000000001624466Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:21.172{05ADC7E1-22AF-6039-2E00-00000000AD01}2684C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local60035-true0:0:0:0:0:0:0:1win-dc-974.attackrange.local389ldap 23542300x80000000000000001624470Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:30.496{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5524755084E3E8AD62A40E28E1646C36,SHA256=CEED78D21E1997417027BC8D9A820E12EC6E215C6BFDE34D033317B04DDED710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624469Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:30.263{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-03-01_193909MD5=EFE2224A9CA1BE8CDFAB2C35D565BE72,SHA256=744A7E16DDA4F278EC73CD20EA73BC7E50390EB9C641317572EF14618404E10F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624471Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:31.512{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBF34E4785BCECA4B39274AA9B56BC9,SHA256=2829A8AFEB5C685CD8D9C61C3DE7E759F52F83F88FACE59B5B1765C752469D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624473Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:32.768{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A84C09E3DD6D4A390F5101B06BA85477,SHA256=714EE02B03666744166CE19CC83E055EE981C156E0F52F1F916B3AAC7F30056F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624472Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:32.543{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62BC3F677BAB7B86EFE0D3495FDDF34A,SHA256=6971650C0FF5ACD512CB50877676E2052809FCF6A42553ABB7FD83CA11054F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624477Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:33.968{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2447FBAF1840F9376A96E01967DEE998,SHA256=60999DEB15BB79E74B73A26CC91EC912FB3B44CE5F30D93207F8EBD6028A8BBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624476Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:25.874{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60036-false10.0.1.12-8000- 354300x80000000000000001624475Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:25.671{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local64692- 23542300x80000000000000001624474Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:33.562{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A42F6E3B84CFDB16755E052A0C6A28,SHA256=1727ED32F34994992E8758201790B5C095DA3CF6784CFF4F8EB205060FBB1ACF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624479Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:26.686{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local64692- 23542300x80000000000000001624478Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:34.590{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B534BCE8FBD182DFAADAD21BC9E5332E,SHA256=0FCD69FBFD6D4260BAD571FB882ECC7EFA5887A2B3B553C58189013E6E9D04DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624480Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:35.621{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460932DC7DC26B840ABEA62F33929193,SHA256=A9C977010C9F458F2DDF3FF08DEE5007B6340F4BAA1CFA8C4A3F7AF1AF888FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624482Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:36.684{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F81CEA523169966BA00EE43F6539C38,SHA256=FD2910F7DE803761E02A9E03B2291D9291D8239FA42BFBCD0E584C6873A53163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624481Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:36.655{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66620BEB9E94EFC2EE56C3F9A76F0AE,SHA256=3466D5DFA8F426CD230747DD31875CF7EB4598510DE4FA8BE29C711A1594996D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624486Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:37.730{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D22A45828552F65E74F9BB3B02E5689B,SHA256=4F34C789C96788E169D53579983FE30C8575EE1A5A5A6DF01706414215DA2B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624485Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:37.715{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A5F5240277B461853DDCE542264B52,SHA256=0CFD4929B8832F3DC3603D10F52A621949F9F0DEAB02E012E47FB73A197735F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624484Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:29.721{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-62230-true2001:503:c27:0:0:0:2:30j.root-servers.net53domain 23542300x80000000000000001624483Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:37.264{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-03-01_193909MD5=7B5230376C3ABA19D4397707A08EDF9C,SHA256=58B7B24CB0FB0B74F32275DB924C8EC9DA8FF5377F910B1E775BE3E7DB75F89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624489Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:38.766{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3BAD18A850A8B7BB14CF69DC1A1F4C,SHA256=79DA6D4729DF3F9B63A78CB8A8EAC8A01BF3125902E0991E03B3ABA105DB2ACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624488Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:30.890{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60038-false10.0.1.12-8000- 354300x80000000000000001624487Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:30.452{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55683- 23542300x80000000000000001624491Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:39.777{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1FD1454A5DF86ECF0D4E2720B5FA07,SHA256=FE7B5617FD6D53938553ECD4B2B0E38673FF218A8D89A18FE9F4A2393D7F0CB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624490Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:31.467{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local55683- 23542300x80000000000000001624492Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:40.809{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5BFC482690CF69046EF9EDB848CAA1,SHA256=1E73C8A6F0B142BBFFB61E3AF841658DC0208E501E6851A2150845D6A0A4DBB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624494Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:41.840{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307E2AF3EC888C2B3C0C71546369C30E,SHA256=5ACB48957AC51FB52C36517506BE67B35652948BD276B2BCC251404475A2F732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624493Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:40.996{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8EA8F71D9BBA70433B6D9CD788E4E55,SHA256=56BA3A8FCC9485A5EDADAB7BD9C7CB1F0813C768212FAB3301B0751B9719DAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624495Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:42.858{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDBDE5B1BCD74D0B492B58631F009E3,SHA256=FE154D3EE4CF440F7C2A124CE8A939DC60777CF952DAB9D98CB60D63BB498C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624535Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.949{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5AE51BBE0453201D052C28D3060AFB,SHA256=28CD11998A71313397683C64168941A8A7C231E2265725C54DD4650ED3742A4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624534Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:35.936{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60039-false10.0.1.12-8000- 23542300x80000000000000001624533Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.184{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DD6082410B33D3B2AB49731E66D3332,SHA256=0289877CF055E9AFBC2B18D1D6D93391951E0FF7A25FA463C482DD4D31B188C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624532Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624531Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2700-00000000AD01}2776C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624530Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-41E5-603D-1982-00000000AD01}2688C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624529Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-41E5-603D-1982-00000000AD01}2688C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624528Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-41E5-603D-1982-00000000AD01}2688C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624527Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-41E5-603D-1982-00000000AD01}2688C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624526Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-41E5-603D-1982-00000000AD01}2688C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624525Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-41E5-603D-1982-00000000AD01}2688C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624524Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-41E5-603D-1982-00000000AD01}2688C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624523Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-41E5-603D-1982-00000000AD01}2688C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624522Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624521Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624520Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D27D-00000000AD01}2752C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624519Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624518Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624517Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624516Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624515Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624514Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7B-603D-D17D-00000000AD01}4500C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624513Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624512Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624511Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624510Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624509Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624508Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624507Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624506Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624505Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624504Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624503Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624502Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624501Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624500Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624499Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624498Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624497Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624496Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:43.121{05ADC7E1-229F-6039-0D00-00000000AD01}6201004C:\Windows\system32\svchost.exe{05ADC7E1-1E7A-603D-D07D-00000000AD01}5796C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001624537Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:44.968{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEE3E869456DB045961D49103629933,SHA256=1AD7C16A6C33E0D892EF24B6E80ECFE5A04A8C2DF22E23ABAD9482BA1D39706A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624536Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:44.264{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-03-01_193909MD5=57861F97CE60233FDB74FF646432A177,SHA256=429F287C0DA1191B4C65DF5176FF465117FC17390C941E685DEC86F83E02FED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624539Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:45.996{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B947D93BA42D34FA45657B69D0020187,SHA256=D6CE7CA87275A8789C39E41CC6C04188A577868B493A32056C3FB0D9656A507E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624538Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:45.777{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2971B5C55DFE84B14EF19D2B067D2DA,SHA256=9E171FD728C6FE52DF2DE104243D9315679C3F152F5567A2BFDEA11A603437BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624540Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:47.012{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E627FE608749AA4A2A6F8152519ABF5A,SHA256=9ACCDC2F895873537D76B574D97C06E1E25F9C6928C140C131A947502366911F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624543Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:40.968{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60040-false10.0.1.12-8000- 23542300x80000000000000001624542Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:48.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97E79DE0FF013AF9C4CD3972766E4A3B,SHA256=99805B475723055963AA9D6A3856CB0AFEFED15FEE81AF37FBFE2DFA07618F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624541Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:48.043{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224A6B1286030CC31439D9507BF6844E,SHA256=E92A0C302C1279E4DF7B7223813DFD5892F2F6D86D4CF235F5C60963224399DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624545Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:49.657{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=044413105DF471C3AD0B5DE7458B2E6D,SHA256=FED44248DAA2A4E8CB1314E899B696B80FE2FCD98B85481FE1B30DE687C41CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624544Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:49.090{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=329223E52FEF35BBA3A3C7446ECC7BD2,SHA256=6049940B59AA1E8BD0FD7736A013EB655C2C321F08A964D094660EBE0590FCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624548Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:50.777{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4510E846913C89324C1265963EC9E34,SHA256=67B97E8BD661D0DCA72F8E03DEE49AD4CF4C926738284D52BEAD3B939ECF164B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624547Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:50.106{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B294BB01280F173BAC5A526EE9976A70,SHA256=E2C081AE40B9C1737E7D14B7DB6A73DB70F55E051B9C56157EE261BD492D7880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624546Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:50.090{05ADC7E1-229F-6039-1100-00000000AD01}1152NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=58358561543C7797300D511BD2939F69,SHA256=2AC549DF670348D8174CCC30A07051C52BCF532C48C4F95D6CAF1F55ED0174A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624550Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:51.277{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-03-01_193909MD5=363F235175E98EF6CF0BBBC92F9650DA,SHA256=D73914ED37309987DC2AEE313755977834B08E485EC530A1D7D0E0DB1F529BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624549Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:51.106{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C1541E3BB1577CC5D46A7FD3B749CE,SHA256=79B2B96DEE23858CF7CF0D6E35117AFB91F04A11BB3CE3DA3DC4016F9448CEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624551Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:52.121{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9D80CF98D0DC83A9626F72CDD16AAA,SHA256=2C9DDCA4FFA53AC4D85C8B5F957C491963CD19C809E9B89BD9E5BD0AF2D48AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624553Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:53.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABDAB9272EA013AF3AE1AD7FC4FEB286,SHA256=BCD3AB230A323BED2CD974C16CD92850A385346ECF8CC1ED6A4877B47A84D356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624552Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:53.215{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76105127525691CD4EF5F8CB746FD53B,SHA256=59AFBFAEA63331CD64E27808D3FCC06FE575F4703D5012AEAA8ADB05375D0988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624555Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:54.246{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4883B7721AA825D7B7765AC39EB181AC,SHA256=E809AF8000D91DB0410F28D0B033798A56BBA1CD98E73AC25B0BE9CE847FCD90,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624554Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:45.967{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60041-false10.0.1.12-8000- 23542300x80000000000000001624557Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:55.387{05ADC7E1-FB1F-603C-5979-00000000AD01}6484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D04DD730C2DFA173B41D98E6E0FBCE24,SHA256=25BD0354816452BB32A75B30DADE46EF8E59DD04BE7128F431B20468F632A399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624556Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:55.277{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42442B1E79944F062FE25FD956A02ED8,SHA256=25FD7E2B1EA80C89CB319C5E7E379BE53010C7FB08001511E19E65DC7E0AD172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624559Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:56.434{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16A0D87EC67B2991B89F5048AD8697FA,SHA256=0ACAD841AD7E94C616C658A26D180C93CF07A9FD2D876243D4100F4FBDA65F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624558Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:56.309{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7BFE02F8611F05C9E9C4A8A6B1F5DA,SHA256=E395E327A32B6036C1ABB7ACA6065E4B6701EB083901F7F50E423DBD7115D9AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624562Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:57.715{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C549AAD67A683DFC5A3989E5187FFC5F,SHA256=7B8F944BCA9EEEC723710C4187BC6ADDE287BDF19A9AADDC02D062A992A7D7D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624561Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:57.340{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E7A8BBDDADB5DF6F013601022CA0AE,SHA256=1A8C3A0DF2565284E5E8E8E90095C4F0CAE409570351A94A82E51A0E12C3A6EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624560Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:49.139{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60042-false10.0.1.12-8089- 23542300x80000000000000001624564Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:58.359{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C34594FD39DF11C83BACBA1797AD21,SHA256=92F49F5386D045849AC7762189814789F8FC769A1F438C50AE4C9CDCC3FDFFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624563Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:58.293{05ADC7E1-6CBF-6039-3A0E-00000000AD01}4736ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 1@2021-03-01_193909MD5=FD5012ECB3E7EAB85872487EC8712301,SHA256=FF9C15C7574B7BDDED02DF659EC44F3F153E674251D9DD34B6FE1C6A889EF47F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624572Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:59.934{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965400C:\Windows\explorer.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+16679|C:\Windows\System32\SHELL32.dll+af480|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624571Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:59.934{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965400C:\Windows\explorer.exe{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624570Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:59.934{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624569Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:59.934{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624568Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:59.934{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624567Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:59.934{05ADC7E1-1E7A-603D-D07D-00000000AD01}57965212C:\Windows\explorer.exe{05ADC7E1-4090-603D-F281-00000000AD01}2992C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001624566Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:59.402{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B046C8988489464DD49F9736A2DD51,SHA256=B554CAD784D53C414184E3045CDAB90467B87F1724C7A3A710E5DEED771B0045,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624565Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:51.014{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60043-false10.0.1.12-8000- 10341000x80000000000000001624581Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:00.981{05ADC7E1-4090-603D-F281-00000000AD01}29923888C:\Windows\system32\conhost.exe{05ADC7E1-4310-603D-3D82-00000000AD01}6612C:\Windows\System32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624580Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:00.981{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624579Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:00.981{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624578Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:00.981{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624577Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:00.981{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624576Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:00.981{05ADC7E1-29F0-6039-C005-00000000AD01}49442420C:\Windows\system32\csrss.exe{05ADC7E1-4310-603D-3D82-00000000AD01}6612C:\Windows\System32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624575Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:00.981{05ADC7E1-4090-603D-F181-00000000AD01}15926300C:\Windows\system32\cmd.exe{05ADC7E1-4310-603D-3D82-00000000AD01}6612C:\Windows\System32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624574Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:00.990{05ADC7E1-4310-603D-3D82-00000000AD01}6612C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "SoundIentifier" /TR "wmic process call create "C:\Users\Public\Disk101.ini:59e9c935"" /SC Once /ST 10:05C:\Users\Administrator\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001624573Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:00.434{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96749CD2B91B738B55772FEE6E093FEA,SHA256=450567173DCD717B54C8D207479BA3764FBA47F184B1D53653D66B830684CF48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624599Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.981{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE0346D121A186ADC1FAE6096FE004A8,SHA256=4FCDCEE7FE72C988254C28C29A855911B5F52D791301856F33645CD2A34AE640,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001624598Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localT10532021-03-01 19:40:01.868{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Disk Diag2021-03-01 19:40:01.868 10341000x80000000000000001624597Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.868{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-4311-603D-3E82-00000000AD01}6940C:\Windows\System32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624596Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.868{05ADC7E1-229D-6039-0B00-00000000AD01}8524060C:\Windows\system32\lsass.exe{05ADC7E1-4311-603D-3E82-00000000AD01}6940C:\Windows\System32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624595Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.868{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-4311-603D-3E82-00000000AD01}6940C:\Windows\System32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624594Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.863{05ADC7E1-4090-603D-F281-00000000AD01}29923888C:\Windows\system32\conhost.exe{05ADC7E1-4311-603D-3E82-00000000AD01}6940C:\Windows\System32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624593Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.860{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624592Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.860{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624591Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.860{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624590Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.859{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624589Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.859{05ADC7E1-29F0-6039-C005-00000000AD01}49443952C:\Windows\system32\csrss.exe{05ADC7E1-4311-603D-3E82-00000000AD01}6940C:\Windows\System32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624588Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.859{05ADC7E1-4090-603D-F181-00000000AD01}15926300C:\Windows\system32\cmd.exe{05ADC7E1-4311-603D-3E82-00000000AD01}6940C:\Windows\System32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624587Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.859{05ADC7E1-4311-603D-3E82-00000000AD01}6940C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Disk Diag" /TR "explorer.exe C:\Users\Public\Weber0.js" /SC Minute /MO 6C:\Users\Administrator\ATTACKRANGE\Administrator{05ADC7E1-29F1-6039-B11D-350000000000}0x351db12HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{05ADC7E1-4090-603D-F181-00000000AD01}1592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001624586Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.449{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2458540851CE67FBB49F3028D68A23B4,SHA256=9666649D0E1854181DB69D7C4EF66F6F279660E67C2594C514583D702B64E7F8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001624585Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.localT10532021-03-01 19:40:00.996{05ADC7E1-229F-6039-1600-00000000AD01}1540C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\SoundIentifier2021-03-01 19:40:00.996 10341000x80000000000000001624584Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:00.996{05ADC7E1-229D-6039-0B00-00000000AD01}8524528C:\Windows\system32\lsass.exe{05ADC7E1-4310-603D-3D82-00000000AD01}6612C:\Windows\System32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624583Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:00.996{05ADC7E1-229D-6039-0B00-00000000AD01}8524528C:\Windows\system32\lsass.exe{05ADC7E1-4310-603D-3D82-00000000AD01}6612C:\Windows\System32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624582Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:00.996{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-4310-603D-3D82-00000000AD01}6612C:\Windows\System32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624603Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:02.967{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624602Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:02.967{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624601Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:02.966{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-229F-6039-1500-00000000AD01}1492C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001624600Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:02.468{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE58BB7D9FE53C051AB77E6A68662BFC,SHA256=5AD67E148B10B757738B0FB5142E17DEEFD5F87DF91E492B69D8E65B5DF13763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624605Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:03.481{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFE07513CCAA8C9CD485750FF108B65,SHA256=47C1937554FF5C2F80AAE4BB8E0BD307EA37A1805A7E5A98A83484167CF7D6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624604Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:03.418{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1235DB12E7474B5013AE10E908CF8847,SHA256=03ADB69FBA03F0B480022E22AB340ED4F669E57451FAE3A72B44FE5AE58A4122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624608Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:04.512{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6AA0689A56AAF2E094A22E10762F65,SHA256=D0A192BC21DAF1633975CD74E69F6C56C05412D86AF6F413BF45F88A03E12C78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624607Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:56.795{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60044-false10.0.1.12-8000- 354300x80000000000000001624606Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:56.143{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-64105-true2001:500:2:0:0:0:0:cc.root-servers.net53domain 23542300x80000000000000001624609Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:05.561{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDFAEB453C639D21ED7A19F9BB98374,SHA256=8E20D02B479B8F900A927A9300738F2C8B1F53732D6EC9ED96ABA34038D69E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624612Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:06.590{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B817B4D21D37DAFF275111135D5D5497,SHA256=1B13791201F0478616092F36B01AC358B291E5E5EA9F492F2CD95AA2AA811C92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624611Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:58.889{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55109- 23542300x80000000000000001624610Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:06.157{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD5D4A41052274A4EFE849DD1C4B0CD2,SHA256=7BF3C6B5030544FD7F8C3FD98D05BC44E422779FB318970AB972E0B3CA2AE359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624614Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:07.655{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA471E1BAC84CEF8F8BF03DE4C0C1E8,SHA256=822D67157187C1CF0264FD39D4F139B3DE21A67CFC57904665591D515D267CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624613Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:07.168{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABE9AC9C621BFA439FCA703473F5CEB0,SHA256=CCAA01A60CF0D665A22F6665ED5ADB8F2A6D10C070892D914FCDE9838B7D2AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624616Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:08.668{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE9B182AA165FF2F74C636D86028A60,SHA256=4DA5ADDA271D772B3149F03320A4DE56ECA8810D6CFB99EC1C9F09926E901E9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624615Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:39:59.904{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local55109- 10341000x80000000000000001624635Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.767{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-4319-603D-4082-00000000AD01}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624634Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.765{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624633Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.765{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624632Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.765{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624631Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.765{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624630Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.764{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-4319-603D-4082-00000000AD01}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624629Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.764{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-4319-603D-4082-00000000AD01}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624628Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.763{05ADC7E1-4319-603D-4082-00000000AD01}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001624627Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.715{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79FC27BF9910D985EE5E73DD3CAE61B,SHA256=CE866F80D52A6BBC3F6933A5CE2FAF2B5185AC7CEC6E51A551811E88AB5BCA85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624626Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:01.795{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60045-false10.0.1.12-8000- 10341000x80000000000000001624625Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.090{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-4319-603D-3F82-00000000AD01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624624Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.090{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624623Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.090{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624622Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.090{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624621Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.090{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624620Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.090{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-4319-603D-3F82-00000000AD01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624619Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.090{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-4319-603D-3F82-00000000AD01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624618Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.091{05ADC7E1-4319-603D-3F82-00000000AD01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001624617Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:09.064{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B60D69371AE2EF7BB6D2EAC87199CCB,SHA256=EF9D7236D1053D907ED88943694F87931A67D330468CD84E46C9A01A87A9F758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624647Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:10.746{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E80035AAEFC5F48EB95B1A996CD545,SHA256=F91EB58A84E77F5D54E608047C117195B3CE1F8E325C5B39EACA238D3976B81C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624646Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:10.606{05ADC7E1-431A-603D-4182-00000000AD01}30565760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001624645Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:02.670{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-974.attackrange.local55250- 10341000x80000000000000001624644Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:10.434{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-431A-603D-4182-00000000AD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624643Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:10.434{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624642Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:10.434{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624641Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:10.434{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624640Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:10.434{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624639Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:10.434{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-431A-603D-4182-00000000AD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624638Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:10.434{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-431A-603D-4182-00000000AD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624637Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:10.435{05ADC7E1-431A-603D-4182-00000000AD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001624636Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:10.121{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B84DFBF4066E2E42181E26F7D0FFF706,SHA256=8F4A6AA0F9A3319B8C40D5F118417944256256967351C39EB8C2A44B75ED2D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624659Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:11.778{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D8189A6E2471ECB919D6C51F09FC70,SHA256=51267CBB6E16CC9B90F567A5E8073B53729AD0267CEA4E7B4EB09FDBC4827064,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624658Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:03.685{05ADC7E1-22AF-6039-2D00-00000000AD01}2664C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-974.attackrange.local53domainfalse127.0.0.1win-dc-974.attackrange.local55250- 10341000x80000000000000001624657Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:11.449{05ADC7E1-431B-603D-4282-00000000AD01}48244108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001624656Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:11.360{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66674C11BB1E7FA4939863E3A301C4BF,SHA256=71B568DEF56CF14B9A772852787E2412B14920768DCC18FA649C2C21B61DBEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624655Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:11.278{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-431B-603D-4282-00000000AD01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624654Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:11.278{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624653Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:11.278{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624652Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:11.278{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624651Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:11.278{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624650Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:11.278{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-431B-603D-4282-00000000AD01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624649Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:11.278{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-431B-603D-4282-00000000AD01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624648Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:11.279{05ADC7E1-431B-603D-4282-00000000AD01}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001624661Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:12.809{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050B7E4E77E10294C845B277F2CA610E,SHA256=AFB762E74DE85D2F81F38E1DD630EF5E9FF4E40AC56806672DF0A6386FABCF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624660Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:12.468{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3EFE5190CA07C763F33D85B0DDE35F1,SHA256=3C8827D4122B5D2515022917CE6D28FCD4FFBB3EEAB1DCDFFA71519C06AEFE77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624671Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:13.866{05ADC7E1-431D-603D-4382-00000000AD01}69283948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001624670Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:13.840{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E657876559DC57FFCE81E51098816C3F,SHA256=AA172A2704E1BFCA4C1C9D604713E4202F35253CD86758513B2E11EF95A88355,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624669Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:13.684{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-431D-603D-4382-00000000AD01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624668Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:13.684{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624667Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:13.684{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624666Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:13.684{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624665Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:13.684{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624664Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:13.684{05ADC7E1-229D-6039-0500-00000000AD01}6361168C:\Windows\system32\csrss.exe{05ADC7E1-431D-603D-4382-00000000AD01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624663Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:13.684{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-431D-603D-4382-00000000AD01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624662Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:13.685{05ADC7E1-431D-603D-4382-00000000AD01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001624683Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:14.868{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504EE7BF171CBD0100755A8207C97357,SHA256=80590672C2BFA795D2317BDE57B955B3B2BA454990F05F3F21541693CDC14EE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624682Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:14.543{05ADC7E1-431E-603D-4482-00000000AD01}7485776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001624681Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:06.857{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60046-false10.0.1.12-8000- 10341000x80000000000000001624680Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:14.362{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-431E-603D-4482-00000000AD01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624679Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:14.359{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624678Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:14.359{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624677Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:14.359{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624676Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:14.359{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624675Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:14.358{05ADC7E1-229D-6039-0500-00000000AD01}636752C:\Windows\system32\csrss.exe{05ADC7E1-431E-603D-4482-00000000AD01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624674Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:14.358{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-431E-603D-4482-00000000AD01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624673Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:14.357{05ADC7E1-431E-603D-4482-00000000AD01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001624672Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:14.106{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83FA64085128463D40FC5FD1DB97E745,SHA256=4C36186069A58C7086101364BA82FF0A1907106C4FEB28C9E8AF7B1E7BCCBB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624693Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:15.887{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3E2D246DCB37256D38355C791B83F2,SHA256=1F596A31493B057169CC6A0CB19F06FBC7163EB70087B91E796A9CC16DBD6AD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001624692Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:15.158{05ADC7E1-FB20-603C-5D79-00000000AD01}16523928C:\Windows\system32\conhost.exe{05ADC7E1-431F-603D-4582-00000000AD01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624691Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:15.156{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624690Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:15.156{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624689Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:15.155{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624688Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:15.155{05ADC7E1-229F-6039-0C00-00000000AD01}5882412C:\Windows\system32\svchost.exe{05ADC7E1-22AF-6039-2800-00000000AD01}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001624687Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:15.155{05ADC7E1-229D-6039-0500-00000000AD01}636652C:\Windows\system32\csrss.exe{05ADC7E1-431F-603D-4582-00000000AD01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001624686Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:15.155{05ADC7E1-FB1F-603C-5979-00000000AD01}64843560C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{05ADC7E1-431F-603D-4582-00000000AD01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001624685Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:15.154{05ADC7E1-431F-603D-4582-00000000AD01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{05ADC7E1-229D-6039-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{05ADC7E1-FB1F-603C-5979-00000000AD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001624684Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:15.137{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ED523846AB2C0EFF3C79706585026A5,SHA256=D4EFCA506D818CC174A2706DACFE95CBE5E18F3BA881FA4EDEED6EA6CEDA97DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624695Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:16.918{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABEAFDAFE73A1FEABA33A780B9AFEB5,SHA256=11078F55026E5C033968A254FDE6660195CFBAD0CF02D09A22CED13DAD6AA868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624694Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:16.157{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=412C9ED556E145684171C98AB2FE62FF,SHA256=5999FAA0D9EBD3D15369457682B6FC62A5B9741C4E04F0D5AEEBA4C64173BD3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624696Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:17.934{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BFC924AC3DD6324DD9E820E4929634,SHA256=301FFC41865DA0BDBC204CB01CB486DEF1131C3A2F30BACC64EA80D6B12060E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624697Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:18.949{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA681D78B1BDF74BE2238E4F1821DD4E,SHA256=A94A4C465E75A849E3B677FAF074BFEF12A39FEF24C0343F18B6D0D062CFA0C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624699Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:11.888{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60047-false10.0.1.12-8000- 23542300x80000000000000001624698Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:19.157{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDE18166EB19A4143830AB9F5454214F,SHA256=2766AA11E6122A1AB3BFAFC9E0CA6554B4B45EC11CFDF8056D46B98337C1F7EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624700Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:19.996{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179793630D9744AD59157E15BF80DDAD,SHA256=72B85C6038A69571F3451059349B41AB4382BA60C8B87A3E78FBB33A967C185F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624701Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:21.064{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316483EC08AF1F4F05FB24AD8D5EE19A,SHA256=8029F9EC571A2E73712F1263BD45384CF0F1CEE9C4B0330B2FB36407A7E9B543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624703Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:22.184{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=303E2EE3671382249B1C0940EE614D09,SHA256=29BE5F08FAC8E9273FFEC8E23C1333B98C12FE80937D1D7768A3A054C387AAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624702Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:22.090{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4165230C1CDB28892BD4E9D4C79AE0B1,SHA256=0D348C5192720198F0D01F1EC334C7C8F841BCF7D8150FA8743CC43B8C6F15BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624705Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:23.715{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70E3C0FD1F1BFB378CB782DA55428DD6,SHA256=E4DA75AF608CE32D83B62BF4E15C1591AE44333AD0644811A25A264822AFEED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001624704Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:23.121{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355D200E30AC7415E6EFFF50AF938C56,SHA256=50D766CFA374079FCA59A8102BD8F391F66FCC1C330E4277DBB5954C1A315A93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001624707Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:16.935{05ADC7E1-FB27-603C-8779-00000000AD01}2272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-974.attackrange.local60048-false10.0.1.12-8000- 23542300x80000000000000001624706Microsoft-Windows-Sysmon/Operationalwin-dc-974.attackrange.local-2021-03-01 19:40:24.155{05ADC7E1-FB2E-603C-9079-00000000AD01}4328NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0B5C14D9DEC01C3FB2A8B80F221089,SHA256=BB12C875C84317ACA6AB8307B8E95CDEB45BED98947F96854B70C961269AC3C9,IMPHASH=00000000000000000000000000000000falsetrue