10341000x800000000000000097995Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:55.278{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000097994Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:55.278{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000097993Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:55.026{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563DC4C30CD2350306023CD47A2CBF3B,SHA256=A73C8B78F41A605661DFE6147117C81E6B88AF4C93748A216FD382302050230C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000097998Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:56.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000097997Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:56.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000097996Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:56.030{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59C921479DF973931AE35C045C9D05D,SHA256=E3A2B53E3A7EDDFC7D28A9B6724BB32A521853F4669E3D0100A4CBCA56A730E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098001Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:57.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098000Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:57.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000097999Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:57.036{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60BE95F32FDE350BB313B18B5A13FDF,SHA256=BA429D5483C9CDD4D398424AE25B11CACD784D29337911C6C4C4F3A3D4510D84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098004Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:58.280{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098003Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:58.280{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098002Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:58.043{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7320D9415FD88477E705B5EC119F64,SHA256=AC3A7E548B656465FDCDE74BE93374AC5099FEB9CB9A0456D675C18E3F59C5F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098007Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:59.281{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098006Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:59.281{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098005Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:59.051{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0129DCB42155CA86EB32D6FD67D6A33,SHA256=95FF93DFE8056A84A7B080646CEFB898EF7ABAABD991C1794C57B4EE2288414F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098011Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:00.281{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098010Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:00.281{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098009Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:58.163{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50187-false10.0.1.12-8000- 23542300x800000000000000098008Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:00.055{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1A8B2F57BF51160BE7903E5CA1E31F,SHA256=9E52ACEB75FC68AA2CD5251BDEE633C865FB0C90EBC7EF0E9732468A97C5EC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098012Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:01.063{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C777916642C3BBE265CF2209B2F64171,SHA256=E87223A2C6732EB6C552D9C0123844253DF65CBFC78C2B292C02C7CAA9AFDD4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098015Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:02.192{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098014Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:02.192{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098013Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:02.072{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7392A136DADD9357B75E25A00D4E1F01,SHA256=F553651433975D540C8DD1976DB77ED5F2D02173BD95417F751BDFF8DEA84EE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098018Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:03.193{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098017Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:03.193{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098016Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:03.082{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CEEBA636B40B77EA3BE591EF292D792,SHA256=01F3D1539E6E3ED70AB5A4FF905BDA22DAE9FF6CDDBFD86CCEFA68060F71251C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098054Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098053Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098052Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098051Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098050Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098049Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098048Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098047Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098046Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098045Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098044Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098043Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098042Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098041Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098040Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098039Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098038Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098037Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098036Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098035Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098034Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098033Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098032Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098031Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098030Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098029Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098028Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098027Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098026Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098025Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098024Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098023Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098022Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098021Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.194{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098020Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.194{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098019Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.087{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E903B8344D1EAE3B233A60420D484776,SHA256=97E328D991884F4B265C5D7B16619849A67C325C90478A6A5DBBFDE346431D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098058Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:05.396{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CD30D57C0C6C4EDA44A74166D3E2F1,SHA256=E6125FC1FB5C5D422AC6E2347465B4FA094A4C73C43DE35FF4770E47CFB1C4AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098057Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:05.195{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098056Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:05.195{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098055Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.035{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50188-false10.0.1.12-8000- 10341000x800000000000000098061Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:06.196{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098060Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:06.196{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098059Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:06.186{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9A81B2ADD4A9ADACB0DCCE08991426,SHA256=82C155ED3EA7DEE4BE9E5FE2C3D8EEB8A141C39D181CD3DEEFE6AC4939903A4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098064Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:07.197{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098063Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:07.197{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098062Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:07.192{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA070F93111E0015F07424DCED1ACF4B,SHA256=93522DAD1D59C45C943EF0EFF448FB7912D8C9CBD533D12493B3C1E52814697D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098068Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:08.936{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=455D9CA4E02913586B39C34BFD825885,SHA256=A9539C1CACDBE4792ABC4DE09B397C051E9241F918AC25A511FB6605464F4AA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098067Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:08.198{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098066Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:08.198{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098065Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:08.197{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D85CCED45E05FC9822B8904A8717B7,SHA256=8B95BACE48CCA0B388FEFEB2DF1E773302E9604BB3A05112C072191A34119CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098071Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:09.204{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C5F0FEC7767158B4FBB7D923088FC7,SHA256=0868E60A4E1F55F6598CC16A23B8A0F5A375B3F172F610B9123A8FD02C619E58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098070Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:09.199{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098069Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:09.199{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098076Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:09.165{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50190-false10.0.1.12-8000- 354300x800000000000000098075Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:08.905{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50189-false10.0.1.12-8089- 23542300x800000000000000098074Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:10.212{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A38DEB5EC830BE23C6F57DFFD6A7A3,SHA256=FE6EF72A9A77B001711406CB94B9E956A5B8F2D224F597A5813AE4F9E4100854,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098073Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:10.200{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098072Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:10.200{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098079Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:11.219{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E98A3A7E700E3E3D96A3A0D704D264B,SHA256=1BB29152F514E55D0B1A18410A24740491D1C522C46A57E956AEE5B30E41DEC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098078Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:11.201{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098077Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:11.201{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098082Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:12.229{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488F386B88A789A3D5A4A5C26D72CB45,SHA256=D101F4EAC62FA9BE45D2A58BDA90EEC50C5509291C860C398021461E7D0CB316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098081Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:12.201{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098080Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:12.201{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098085Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:13.246{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01696850C3BE57B93F51573E5D8177D1,SHA256=70408A4C6517433A6557BA83D6196FA27321F45923ED8220D9E563903E74B724,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098084Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:13.202{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098083Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:13.202{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098088Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:14.257{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121C7E1E09DC0D3B8FA3478ADE264FDE,SHA256=33D4B437DC6133680E86A75C50AAA55972B84B034AAFC737F3C0A2D0E3E6D09C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098087Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:14.203{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098086Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:14.203{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098091Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:15.268{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EAFF7AAA90C8CAF93E5D0F3D295EF8,SHA256=276B2B08C631B04071CB358A151E4EADE04770DBB32E5DFAD7FCFA8FBBC3FD66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098090Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:15.204{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098089Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:15.204{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098095Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:15.042{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50191-false10.0.1.12-8000- 23542300x800000000000000098094Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:16.284{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C7CF48A0E68597E048240111FCA11B,SHA256=0A9D1F195E5D2A955DB6ECD6A0578D92A89EBC2A040848194F00452BAA1DF732,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098093Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:16.205{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098092Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:16.205{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098098Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:17.299{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6499238263AB718038CD463C665A87,SHA256=D31B8E81AE5F6B2D25A3316E34D83D14DA3CE63C9A4A568FD2C0C95691259C9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098097Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:17.206{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098096Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:17.206{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098101Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:18.308{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C720B15232929EAA44BA635F237C682B,SHA256=970A1BBB6EB07F820D3A1E406AE3A5E1CFC3709A097D330AE30E660CD79CCFE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098100Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:18.207{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098099Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:18.207{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098106Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:19.908{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D83E0ECE7BCD9C1AABE71059EC5941AD,SHA256=1BBD579A7C02BF4C83201F0E4FDDB8784D6E74C8E529F09890F5FC037546328A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098105Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:19.907{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C06BC763F8D7BD10E673BA17742F513B,SHA256=FDB287909F611AE8D4C5BA1F6DAE5218D5AA5ED51E20492C29AAAB1B5A0F7518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098104Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:19.315{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B56583C634D8CB7E6380D9C9BA758D,SHA256=44AABB28574E739D25600616551954EDA1B1A6537F6D4BEEE47B48AB0EB84882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098103Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:19.208{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098102Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:19.208{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098111Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:18.880{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local50192-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 354300x800000000000000098110Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:18.880{0F0CAB0C-E52D-6033-3100-00000000AD01}2316C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local50192-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 23542300x800000000000000098109Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:20.323{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF915C8A7970B3F999E82FA497D472FC,SHA256=DC8B347063DFC319E7E4B91DDCC1E95B66C7582F598C3FDB49D51013BE8817A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098108Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:20.209{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098107Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:20.209{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098115Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:20.172{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50193-false10.0.1.12-8000- 23542300x800000000000000098114Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:21.328{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D49B9EB9AB23F40DB77C0F3A50FACB,SHA256=4F8F8E0B9142B8F8532DBA3A0D6239F02CE4F5DC79F268ACD70F90260E447455,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098113Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:21.210{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098112Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:21.210{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098118Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:22.334{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889D0809BE5C0178186FFC6A5ECDA7C9,SHA256=051943EFC6AD59ACF7DF6B1AF469C9DF16CE323046B57648E7A981BE96BBD300,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098117Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:22.210{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098116Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:22.210{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098121Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:23.340{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75AE26A9018A5F441435B0FD87E0513,SHA256=34739571C03512BF2D413CFD2CF32F763E29D43C18B99BCB7CA43DD9511547D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098120Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:23.211{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098119Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:23.211{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098124Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:24.347{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C4AD3C620C78F17CA7E409F45F11D2,SHA256=561183DFC07C330313F1FC79009623199CE3DCC51773D785BC461E96A4CF8694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098123Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:24.212{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098122Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:24.212{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098127Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:25.355{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B8D2FF1D76121405DD73F2BB66718B,SHA256=A893D68BFA7FE95D5208D794F29ABB1E4730CB960FE35491827C47D4D8B50B3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098126Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:25.213{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098125Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:25.213{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098134Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.842{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio6737618447378323786.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098133Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.801{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio6170967010365630749.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098132Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.768{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio5371814722503670723.tmpMD5=244D4CE5225FA6CE75B5642993069918,SHA256=1DBBD5B96F4D0D21820E4409B05EE19BA922DE15BA92D44FCA1116E6D74CED91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098131Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.365{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452725978498BFE819F3E1FE2DE481A3,SHA256=C6D1F72C180167D368727D780D4605C21A8B3746F99F49CE770416EAA4592586,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098130Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.214{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098129Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.214{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098128Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.025{0F0CAB0C-E51D-6033-0D00-00000000AD01}9846852C:\Windows\system32\svchost.exe{0F0CAB0C-E665-6033-0801-00000000AD01}3736C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098138Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.043{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50194-false10.0.1.12-8000- 23542300x800000000000000098137Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:27.377{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD60BE8833D5F8204ABACCEEEEDBA13,SHA256=401223BAF53209293C1500B9AB537FF9E5CAA91F3E7CA0C68750C0035ACFCF85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098136Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:27.215{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098135Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:27.215{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098141Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:28.381{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69359DBD1564A3E0D5E085B57B691B3F,SHA256=40367240B2ECD0321E73362BE3F2B609AE14A6F39756D5E289A90D8BA63F9E82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098140Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:28.216{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098139Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:28.216{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098144Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:29.398{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A641578234397C28BE3718C6DA6206,SHA256=8E76F7334A1BDBBDBFD750348FBDA87AACBED21387F5F2E82AE3AF53E6A18696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098143Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:29.217{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098142Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:29.217{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098147Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:30.403{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0B8C3756C3B8AA9A48E87799486F22,SHA256=68F36DFE416BE7AC26C768CDDE1D73126FBBA391C1DE96C4B6F8E326B6153BE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098146Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:30.218{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098145Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:30.218{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098150Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:31.416{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2A643E55EF706CAB433F07DB3D01DB,SHA256=025C7CDFCEC2107CA7196419507A29089D35337751ED9CB23CB1C953C54717C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098149Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:31.219{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098148Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:31.219{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098154Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:31.164{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50195-false10.0.1.12-8000- 23542300x800000000000000098153Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:32.420{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60132A80CD6CAD7D4C6FB647E0A1CE3F,SHA256=4491D40E1A3CC0DE8C8B4578EA168A04B1A7B838DA5D42C3365F515A88E715A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098152Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:32.220{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098151Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:32.220{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098158Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:33.427{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC012DB2A187F6CF433649841D2FD35,SHA256=E9E2E998DD2A58AD7997445B1EA03EA7F596B16E6FF1C3BA58BCBD6595D6CF6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098157Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:33.381{0F0CAB0C-E666-6033-1101-00000000AD01}24686080C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+dc3e5|C:\Windows\Explorer.EXE+6e771|C:\Windows\Explorer.EXE+4d787|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF803818708C8)|UNKNOWN(FFFFC16313D64978)|UNKNOWN(FFFFC16313D64AF7)|UNKNOWN(FFFFC16313D5F181)|UNKNOWN(FFFFC16313D60B4A)|UNKNOWN(FFFFC16313D5EE06)|UNKNOWN(FFFFF80381587E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca|C:\Windows\Explorer.EXE+8f763|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098156Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:33.221{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098155Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:33.221{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098162Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:34.430{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C44C5916FFE90606561C16E01D828CA,SHA256=D230763921B2964690BF78618DDDB6EEC963A7726AFC9667969E3BE3EFA2D4DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098161Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:34.222{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098160Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:34.222{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098159Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:34.064{0F0CAB0C-E666-6033-1101-00000000AD01}24686080C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+dc3e5|C:\Windows\Explorer.EXE+6e771|C:\Windows\Explorer.EXE+4d787|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF803818708C8)|UNKNOWN(FFFFC16313D64978)|UNKNOWN(FFFFC16313D64AF7)|UNKNOWN(FFFFC16313D5F181)|UNKNOWN(FFFFC16313D60B4A)|UNKNOWN(FFFFC16313D5EE06)|UNKNOWN(FFFFF80381587E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca|C:\Windows\Explorer.EXE+8f763|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098165Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:35.437{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CF37BECA91628A78CA57B2A9A79309,SHA256=817B42EFCBF01B0F26692DDBEB71C7BC7831CC6DE39F8B49F9562A36956DDCEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098164Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:35.223{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098163Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:35.223{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098168Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:36.447{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8499EC7EAAFC5668688CE98C512CAB77,SHA256=139A2ACD51923D397E55D9F89AE4D28B81112ECF806A948507CBDB8CF1D71DC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098167Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:36.224{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098166Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:36.224{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098171Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:37.462{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2943D3BA68E7A86C14722C6B090DCE,SHA256=3F3AD4E6D5893FFAB386A947B714FEB03C1B5242357D0A2C2AF46108DF64A5E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098170Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:37.224{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098169Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:37.224{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098175Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:37.045{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50196-false10.0.1.12-8000- 23542300x800000000000000098174Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:38.471{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003142738BE7D040642FC93A424071E3,SHA256=A39556F7F88F65A31D62266BC4A98DE36CAEAE1BF48A72E263DECEC5EF0AB0EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098173Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:38.225{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098172Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:38.225{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098178Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:39.478{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF2717D69A0A7ACFDE9F01C5CEAC761,SHA256=85F1BD967FC3C65A72CA4A4122AC7AF1084A4F919C752570DCB64E35025CC644,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098177Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:39.226{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098176Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:39.226{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098181Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:40.486{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5CD3F244D3D7FE9234847F3892B791,SHA256=5A2029D11AE1C216A40E82A00917C53E2202A15BC5DB75A6479B6E9795851B1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098180Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:40.227{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098179Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:40.227{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098184Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:41.493{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257AF4B18B88BC0B97F2D28B14F15C9A,SHA256=EE0DB5208A9C4AFB52F4723763DD37AA473F4E3537D2A259513D3E3FDF4F4C40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098183Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:41.228{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098182Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:41.228{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098187Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:42.500{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1841AC0C696648F9D59E5E8671F3B95,SHA256=3D9717E45E7700745F27094B6225A81B2A2333C48CCE2CAA6B8F1BA40CA0080C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098186Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:42.229{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098185Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:42.229{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 534500x800000000000000098193Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.789{0F0CAB0C-281E-6034-E00D-00000000AD01}708C:\Users\Administrator\Desktop\artifact.exe 534500x800000000000000098192Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.778{0F0CAB0C-27D0-6034-D60D-00000000AD01}4696C:\Users\Administrator\Desktop\beacon.exe 354300x800000000000000098191Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:42.177{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50197-false10.0.1.12-8000- 23542300x800000000000000098190Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.507{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D14A193F445394CC26D7986EC00A79,SHA256=CB6153FEC5BEB1550AC94F1E1575B4348750444E1DAB042DEC8024032E0C2ED7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098189Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.230{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098188Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.230{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098198Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:44.776{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio5367092464758173280.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098197Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:44.736{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio17761760072674751824.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098196Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:44.514{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128188B65DDA9A37FB70CE5279CF0827,SHA256=93A63B522F65DF8E55205B81B99FB07683A9A7743DA4E38C64F030764C993D76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098195Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:44.230{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098194Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:44.230{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x800000000000000098208Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.localInvDB-VerSetValue2021-02-22 22:06:45.791{0F0CAB0C-E51D-6033-1400-00000000AD01}1304C:\Windows\System32\svchost.exe\REGISTRY\A\{ae73fbdb-ea8b-fd9d-34fd-7644a2edce8b}\Root\InventoryApplicationFile\beacon.exe|14342b9a39b0d4b7\BinProductVersion(Empty) 13241300x800000000000000098207Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.localInvDB-CompileTimeClaimSetValue2021-02-22 22:06:45.791{0F0CAB0C-E51D-6033-1400-00000000AD01}1304C:\Windows\System32\svchost.exe\REGISTRY\A\{ae73fbdb-ea8b-fd9d-34fd-7644a2edce8b}\Root\InventoryApplicationFile\beacon.exe|14342b9a39b0d4b7\LinkDate06/09/2020 00:17:28 13241300x800000000000000098206Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.localInvDB-PubSetValue2021-02-22 22:06:45.791{0F0CAB0C-E51D-6033-1400-00000000AD01}1304C:\Windows\System32\svchost.exe\REGISTRY\A\{ae73fbdb-ea8b-fd9d-34fd-7644a2edce8b}\Root\InventoryApplicationFile\beacon.exe|14342b9a39b0d4b7\Publisher(Empty) 13241300x800000000000000098205Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.localInvDB-PathSetValue2021-02-22 22:06:45.791{0F0CAB0C-E51D-6033-1400-00000000AD01}1304C:\Windows\System32\svchost.exe\REGISTRY\A\{ae73fbdb-ea8b-fd9d-34fd-7644a2edce8b}\Root\InventoryApplicationFile\beacon.exe|14342b9a39b0d4b7\LowerCaseLongPathc:\users\administrator\desktop\beacon.exe 13241300x800000000000000098204Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.localInvDBSetValue2021-02-22 22:06:45.779{0F0CAB0C-E51D-6033-1400-00000000AD01}1304C:\Windows\System32\svchost.exeHKU\S-1-5-21-2309400775-1311174122-2981337477-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Desktop\beacon.exeBinary Data 23542300x800000000000000098203Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:45.527{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C651844CAF65B066769E0BF9F957484,SHA256=878B6039F45613BB06901CFDF0802D0011A937E857AAE481E732A7B8E11BD6C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098202Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.762{0F0CAB0C-281E-6034-E00D-00000000AD01}708C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local50199-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x800000000000000098201Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.742{0F0CAB0C-281E-6034-E00D-00000000AD01}708C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local50198-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x800000000000000098200Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:45.231{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098199Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:45.231{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098211Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:46.532{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521CC3FEA54AB7F6ABB8397110A15DE7,SHA256=43B5BF6C80E6AAAD96CE19EF0DDDFF3C76978BEAFA791C8226BA814AA8EC7BD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098210Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:46.232{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098209Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:46.232{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098214Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:47.544{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B97059E880A961C2CC2CA6CA8A2B5B,SHA256=CB5EAAA141278BB31D92F35927C07F2BA6A7B6DBF67360128097423560A34EF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098213Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:47.233{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098212Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:47.233{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098233Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.566{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AF8-6034-3B0E-00000000AD01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098232Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.565{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098231Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.564{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098230Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.564{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098229Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.564{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098228Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.564{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2AF8-6034-3B0E-00000000AD01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098227Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.563{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AF8-6034-3B0E-00000000AD01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098226Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.562{0F0CAB0C-2AF8-6034-3B0E-00000000AD01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098225Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.553{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9D56BF43A3BFA1CA37F909ACCC2FD1,SHA256=1084D7F620D4B233261CFB397323C8AB4E9F6DB0F2F35ADE9982D24AFAB74AC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098224Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.234{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098223Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.234{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098222Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.012{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AF8-6034-3A0E-00000000AD01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098221Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.010{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098220Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.010{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098219Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.010{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098218Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.009{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098217Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.009{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2AF8-6034-3A0E-00000000AD01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098216Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.009{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AF8-6034-3A0E-00000000AD01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098215Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.007{0F0CAB0C-2AF8-6034-3A0E-00000000AD01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098247Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.570{0F0CAB0C-E51D-6033-1100-00000000AD01}1196NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=703B5B4B4FE15E73E78E03DE533A3783,SHA256=75EF217A6FD626A27092788EB42DFE567107F7A06D40DFD1B4CC2EBB700EAF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098246Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.569{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80CAA3D96951A101030673BA4E3826D,SHA256=B4AC70E2E1C1320D454AF11C9CAA60424600E7B804EECE11114E7C1FB41CE446,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098245Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.056{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50200-false10.0.1.12-8000- 10341000x800000000000000098244Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.386{0F0CAB0C-2AF9-6034-3C0E-00000000AD01}77927080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098243Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.235{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AF9-6034-3C0E-00000000AD01}7792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098242Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.235{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098241Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.235{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098240Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.233{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098239Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.233{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098238Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.232{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098237Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.232{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098236Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.232{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2AF9-6034-3C0E-00000000AD01}7792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098235Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.232{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AF9-6034-3C0E-00000000AD01}7792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098234Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.230{0F0CAB0C-2AF9-6034-3C0E-00000000AD01}7792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098250Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:50.579{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9902BDBA7011B7026D3A6402EAB2A8,SHA256=DA84589BB163049F70F5DBBC1EBE9227D128D8388932484481CD028D5770A71C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098249Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:50.236{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098248Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:50.236{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098262Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.598{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B22E2DED27A2B03E78141F8DEB967E6,SHA256=E8DF193BF56E5E4A12E4F9FDF64058E8BF6F5DB9F70E246C4B98A6A680BADF93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098261Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.502{0F0CAB0C-2AFB-6034-3D0E-00000000AD01}12606656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098260Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.351{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AFB-6034-3D0E-00000000AD01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098259Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.349{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098258Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.349{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098257Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.349{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098256Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.348{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098255Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.348{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2AFB-6034-3D0E-00000000AD01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098254Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.348{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AFB-6034-3D0E-00000000AD01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098253Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.347{0F0CAB0C-2AFB-6034-3D0E-00000000AD01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098252Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.237{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098251Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.237{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098283Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.844{0F0CAB0C-2AFC-6034-3F0E-00000000AD01}72442388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098282Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.688{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AFC-6034-3F0E-00000000AD01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098281Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.686{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098280Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.686{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098279Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.685{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098278Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.685{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098277Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.685{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2AFC-6034-3F0E-00000000AD01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098276Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.685{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AFC-6034-3F0E-00000000AD01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098275Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.683{0F0CAB0C-2AFC-6034-3F0E-00000000AD01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098274Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.607{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEE36EDDC0E7B8B75A5024AC78F8BCD,SHA256=18BAF7D5A7C4B4C134E917BACA92EF4A21110D54D8DB13D1250D68264A73F5A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098273Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.238{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098272Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.238{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098271Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.168{0F0CAB0C-2AFC-6034-3E0E-00000000AD01}27647540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098270Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.019{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AFC-6034-3E0E-00000000AD01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098269Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.017{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098268Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.017{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098267Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.016{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098266Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.016{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098265Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.016{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2AFC-6034-3E0E-00000000AD01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098264Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.016{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AFC-6034-3E0E-00000000AD01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098263Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.015{0F0CAB0C-2AFC-6034-3E0E-00000000AD01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098294Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.618{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D8AF40AD9FAB0CB90EB47466CDF7D6,SHA256=65B99D86D2E15BE39B5146AB5DFCC61C7D23377BC8BBA9CD1490413BC4144C76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098293Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.355{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AFD-6034-400E-00000000AD01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098292Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.353{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098291Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.353{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098290Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.353{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098289Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.352{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098288Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.352{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2AFD-6034-400E-00000000AD01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098287Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.352{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AFD-6034-400E-00000000AD01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098286Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.351{0F0CAB0C-2AFD-6034-400E-00000000AD01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098285Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.239{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098284Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.239{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098298Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:54.629{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CD39309058A95858BE1518713586B3,SHA256=07BEE521713B3D0ABA58AC868CD30425887558749FE4F7708F91F74F5A28E690,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098297Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.190{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50201-false10.0.1.12-8000- 10341000x800000000000000098296Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:54.240{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098295Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:54.240{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098301Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:55.636{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652D5806890127AAF2253BED11F761E0,SHA256=9D7EBAA0EFFDF8F08DF336B0B31E93C56846CB3AEAA0E3FF96C46D03F259F04A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098300Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:55.241{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098299Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:55.241{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098304Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:56.639{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D36BD852AA2E70BC7CB5104C83C001,SHA256=C3F22F053A3A6D2F45A35E664D99E94BD3323D5373B5572908BB120213057CE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098303Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:56.241{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098302Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:56.241{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098307Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:57.652{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BDA31282AE2EFA608AECA4DC333E16D,SHA256=4A3D897C7AD18E68C4300085C9FC4D71AF1BCC6F931C0F6FF0DC3300180C1DEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098306Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:57.242{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098305Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:57.242{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098310Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:58.657{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA0C0803A0689D6B85EBB7E3B0A074B,SHA256=CC3DA74DC5B85F23E212298B2A4FEFD381A7711A04DA5E612ECAAC15AA346FC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098309Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:58.242{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098308Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:58.242{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098313Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:59.663{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F0093B529480B756552F8F697E4C03,SHA256=26AE213D0A23EEAF7618B27B02FA1C512E9EFE409A8BF17D977EDFAF8F4F982A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098312Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:59.243{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098311Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:59.243{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098317Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:00.677{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9DCC410E859F1560CF635883E24F6E,SHA256=1C082A55C17B5B58F8D5FFC62ADF8CED70CA580FB8B9A2842077090F7B51C472,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098316Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:59.071{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50202-false10.0.1.12-8000- 10341000x800000000000000098315Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:00.244{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098314Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:00.244{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098320Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:01.682{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CFC89343B6C8B1A3FCB21E6A6BBEE4E,SHA256=B8EC8F77F04628818CB9AD66374ECAF21C2310B1D7DBCA87BC5EE98EF74C4CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098319Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:01.245{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098318Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:01.245{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098323Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:02.686{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C59438E4B08CB35143EAE1EB82F697E,SHA256=357EF3540F0A893CB2778DFA9DB2F2BE467266F485213F3604A5E517D9EB788C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098322Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:02.246{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098321Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:02.246{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098326Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:03.701{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585B2768039E228ED92401C35C589201,SHA256=BB53A6F4FC3A2DADAB52A73F48DF1B5FD173D5F12574C2146C1D3AE375FD3225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098325Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:03.247{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098324Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:03.247{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098329Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:04.707{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227E66CBC0782D5375FF7A81900EF843,SHA256=78325D1D43F2A22F0CCBC42EDA12C4A9B4088C974553A253F2E3FC83BD9B7BF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098328Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:04.248{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098327Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:04.248{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098333Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:05.714{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FCA973663A38D16777678F5FD2FF1B,SHA256=495C5722C64A13FD89C063C299782ACFAED89942A3DF0A9E53E51ABFB43ECBA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098332Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:04.196{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50203-false10.0.1.12-8000- 10341000x800000000000000098331Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:05.249{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098330Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:05.249{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098336Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:06.727{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC44730A10B84DED8D5B5921D7A944DB,SHA256=5C6E673BD9569A294EC6BB9F7D137C84BBFEC8C08AB7864C086ACD1BEB100191,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098335Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:06.250{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098334Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:06.250{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098339Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:07.733{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02BA6259309C002A8C47FC9F669B803,SHA256=56B6F82F58E5D3C3FA8D1633F48D6C32D292B339A270C01054CA31F615233226,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098338Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:07.251{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098337Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:07.251{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098343Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:08.954{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=455D9CA4E02913586B39C34BFD825885,SHA256=A9539C1CACDBE4792ABC4DE09B397C051E9241F918AC25A511FB6605464F4AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098342Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:08.748{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047E679346D2687B2C9B11FCA4C33C1D,SHA256=03B114C9516C2880128334F5FBEAB53003C91E2F163CD427E8EF84B76C04C6E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098341Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:08.252{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098340Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:08.252{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098349Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:09.754{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1972FBF9808DA0DF005AF1C95189237,SHA256=1AC32BB1D81ED5050533420A552973C19213DD6E9C3CE6FC05E7817E3179A785,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098348Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:09.253{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098347Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:09.253{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098346Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:09.066{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=AB99C041118F7F80C1204CD70CD11BEB,SHA256=BFE408852C541CD4E9B5B2D4919030135FF9CC2AEBDB0F8EA9F595689E08371D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098345Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:09.066{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=9A4B15D788F56B5155A5093BDADD7C0B,SHA256=DCBCE46802B841FB829BEFF1F9A7CC706743481763F268AD38FA0860C2C739D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098344Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:09.065{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=976676772AF681E7AE381C25CE035DDF,SHA256=57A0DBB0B581F73D510D1239175D00388EA5F6B79503015D92F100B6A4080D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098353Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:10.763{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5138D92EF4146036604C39AD60BAE022,SHA256=EEF7F5DB4A95670C3BF20AA9291D8C62450606D04B61B92D1155113879257714,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098352Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:08.922{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50204-false10.0.1.12-8089- 10341000x800000000000000098351Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:10.254{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098350Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:10.254{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098357Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:11.776{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B97949B817534616971ED4E7B1B47AE,SHA256=DFEC2F6EE6D90CF6A711F0B5EDF3822FAEC586518F1C85236F6F8FB8807F649A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098356Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:10.082{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50205-false10.0.1.12-8000- 10341000x800000000000000098355Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:11.255{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098354Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:11.255{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098360Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:12.785{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40787C24BC729985EBC0E1EC76F7CF1A,SHA256=61C2605F45B61C3155516730862090AED1557F1683389024979CA630B150D5F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098359Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:12.255{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098358Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:12.255{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098363Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:13.800{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5126BC5FE76960E31A97D23AAFC5D4E,SHA256=E68BD05BECA557EE8D01441C979A7B6AF8142EE1972EEEA7CCBA3F248D71A4E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098362Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:13.256{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098361Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:13.256{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098366Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:14.805{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E67BBBDADC931F1CD7EE8FFC23DA54,SHA256=A56CDFB0B6A620BA29887E06231482B107F85A234E9D60DC1FEF23C39EB6D02A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098365Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:14.257{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098364Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:14.257{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098369Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:15.813{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE8A2CD99B65B908C51876DF4CE6A48,SHA256=430170A5FE68F94DAD45664D8B5BEBB83121762E6FBEB08781D9D06C82D6927D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098368Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:15.258{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098367Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:15.258{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098373Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:16.826{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301B7DD4823E5BE688E598339C96C656,SHA256=EAD2A7C422EABDE115F97FB5C9785FD61E32F7E087CC3B7E8ADF6D3AFF790B70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098372Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:15.210{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50206-false10.0.1.12-8000- 10341000x800000000000000098371Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:16.259{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098370Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:16.259{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098376Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:17.832{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A860DFF5E67B3056221CD2549BA9A908,SHA256=F01AD863A6E285C362D1F2A413BF13030AC7183B08EC54220903CAF4334F7129,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098375Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:17.259{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098374Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:17.259{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098379Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:18.840{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444B75A5AAA12CB5A2BB72044D09B395,SHA256=D8895FF66DBF33D41C19B8C0250761EC8DE848F40CA70F3CC89FE55D52DA1BE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098378Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:18.260{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098377Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:18.260{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098384Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:19.906{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D3D57D003E3A1A6C14804A9BA88B862,SHA256=6B64339B65A08E77522704B7107E57A6B5902A5FC49229F28415228D0D1E93F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098383Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:19.905{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D83E0ECE7BCD9C1AABE71059EC5941AD,SHA256=1BBD579A7C02BF4C83201F0E4FDDB8784D6E74C8E529F09890F5FC037546328A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098382Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:19.851{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DA110A191A3B3542994A910C4264EE,SHA256=8AD77154C24A1D63F638070E0AF5FE0BF9ED9855114C9AC1D9128D175205C14A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098381Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:19.261{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098380Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:19.261{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098389Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:20.862{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F62F4340363A548FA85E36CCD13E63,SHA256=1A2A7BB878158C2109D93D8C7EAD2D0A0F1EFB8245C1B5023B32E8DACC36663C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098388Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:18.882{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local50207-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 354300x800000000000000098387Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:18.882{0F0CAB0C-E52D-6033-3100-00000000AD01}2316C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local50207-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 10341000x800000000000000098386Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:20.262{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098385Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:20.262{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098392Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:21.880{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E051F1A6BB08CBD79C56D0F7C4DB7895,SHA256=D6C9DB18F94A33C4AF30462D6761BA68481207E9D3E4B5AC3E82D5B28A9E0F54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098391Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:21.263{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098390Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:21.263{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098396Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:22.891{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C31DE27E9939DAE7E27245E81279DD,SHA256=3668E32172492E6FAA01A133DC5F5289C49436262ACD51216189949763442323,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098395Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:21.094{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50208-false10.0.1.12-8000- 10341000x800000000000000098394Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:22.264{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098393Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:22.264{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098399Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:23.895{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD156FF2BEB9140D044A260152F4220,SHA256=3D2B1D12479E0AAB5184FEEBA581E2B61A379CE09688EE6FFFDB1C6863CCCA8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098398Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:23.265{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098397Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:23.265{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098402Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:24.900{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689AC0627C41E514B412E9CF810BFED9,SHA256=96C6664A2E489C03EB579A8FB93D4192F2802A1474AAF15FCD3D2C881B414757,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098401Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:24.266{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098400Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:24.266{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098405Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:25.909{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F652EB50B32AEEBD560C80CB971320,SHA256=3DB8F5C76E2C6BB60DF2469E2539C84656B6A9D3FB699198EE19BD150226C552,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098404Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:25.267{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098403Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:25.267{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098408Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:26.919{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2C5948384A4F67D0478B546D342C3A,SHA256=BBD01AA714C6669924888BF7751F5680BF492E212B673B866BE4CE87ADB4667B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098407Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:26.268{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098406Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:26.268{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098412Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:27.929{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0D97C4CFF1DC0D6F526A8C638B3F14,SHA256=EB086FE24E9ECF5B5B8ACCF8068C8B14590DD9A01119181CB60FA50F09F71751,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098411Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:26.213{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50209-false10.0.1.12-8000- 10341000x800000000000000098410Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:27.269{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098409Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:27.269{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098415Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:28.934{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249157340CC0B86F2DE305EA711E82F0,SHA256=06440AAF895223C1DE7C5FE12B644BAE4F28FA021A82A09B6576C217740B876E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098414Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:28.270{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098413Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:28.270{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098418Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:29.938{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2EC97627C11109DB39D0A58FB764F1,SHA256=2A01C781D6EF0976EA59373E57707C25D6E40FC42E3A5898D6A6CD76EADA514C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098417Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:29.270{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098416Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:29.270{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098421Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:30.951{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337887386FB207C6FAC77AD50EB72CDD,SHA256=91BAB526C5EC0454F78AE5FDBE12E9413CF829A2709FF6CE9464D210688EB367,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098420Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:30.271{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098419Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:30.271{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098424Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:31.954{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381FD6697EC99C094A60E15B828DB389,SHA256=1F911872AEB2A2FD0808E80BBA215CC121AC9D583769AE965D70DAF59A409F0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098423Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:31.271{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098422Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:31.271{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098427Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:32.960{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898AA1A9E1DB626C16E05EB505AD1834,SHA256=38DFE43BE5093D51885C7027E1A0D7A459481336E983062ED9E8D9F611D9CA3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098426Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:32.272{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098425Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:32.272{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098431Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:33.966{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED84EB4B736C743AD22BDFD1A7DCB06,SHA256=ADF2A7D745B9CBE06A2243649628190132F6B748BA7554CBDBB0BBE91BE67E4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098430Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:32.091{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50210-false10.0.1.12-8000- 10341000x800000000000000098429Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:33.273{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098428Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:33.273{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098434Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:34.978{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40BAFE7060A9478BFBD28584A3AB858,SHA256=0B6455597C3865837CF5BF279348DA3A21A26881027567E1D2A78E0E9B8EAE12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098433Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:34.273{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098432Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:34.273{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098437Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:35.991{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08C24CDCAE082A00B19C483EC5CB6AB,SHA256=E19266F05139C83AE5E761EE17BE54BB605CDCABAEB3EC378C75DBB63F915D07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098436Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:35.274{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098435Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:35.274{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098440Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:36.998{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D980AB625E83492464180D6EFC3DF2,SHA256=2798E1209BAA2BD15BA397A0C26598A401999344B531D26F06A1454119CE2CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098439Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:36.275{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098438Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:36.275{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098442Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:37.276{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098441Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:37.276{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098446Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:37.215{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50211-false10.0.1.12-8000- 10341000x800000000000000098445Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:38.277{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098444Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:38.277{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098443Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:38.010{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884A4C1E57749DD0AAA91557A53DA306,SHA256=81C498FD9F97188EA2DC4CA6DAA45A16C599C9AF46EB34FFEA5E8FF23D07A7F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098449Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:39.278{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098448Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:39.278{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098447Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:39.017{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB52684B148AE9AE39901E3CDB16222,SHA256=5D140B3F01C7A36473A5D7025DA53A5BE4D15156668E261C9347ED5BE8377378,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098452Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:40.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098451Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:40.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098450Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:40.027{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B0D3C664C474F0CAE2AEF084994B3E,SHA256=49510DF43C0AE52A753F279F924CC6A7772A685150F4F77036CCF6D0CECEA18B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098455Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:41.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098454Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:41.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098453Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:41.036{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF958C07B3CC4AACEFEEAF8945282369,SHA256=DF036A4FAA06C752B4927D2D68A7C7636C20797CE0F15D78B4DA258E45320E42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098458Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:42.280{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098457Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:42.280{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098456Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:42.050{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BFB5C7F2147C734774BB3A00B4421F,SHA256=9D6EC9F122A6CECA91AF4DF23A46DE24675A19B656249841E9DFD64AA1C78777,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098461Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:43.281{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098460Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:43.281{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098459Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:43.055{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2009FCFFAA26AF1C748CD8D2C8837E04,SHA256=3F65FEDC09CEEA22465A15B3408801EA0138BDA6A86E4E9C9BF980757F585CBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098465Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:43.083{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50212-false10.0.1.12-8000- 10341000x800000000000000098464Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:44.282{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098463Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:44.282{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098462Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:44.064{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C85C62C0431450535893B7E5EA3BCC,SHA256=68809DAA8D4C5509B2A3AFD17FEB9028F9C4849954289BB564038291D6E156B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098468Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:45.282{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098467Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:45.282{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098466Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:45.071{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700B7127563DFCBAAB3DF20A26BFB12E,SHA256=5517FAC72F01AF7759765E75D43ACEC6BDB90DF2B08262507F2CC0DD7AB8D480,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098471Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:46.283{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098470Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:46.283{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098469Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:46.075{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A19513FCF0C8CC94C91AF63D5DDEEF,SHA256=E88645781334C4D6E2F460963CF0FCCDCFAD5DB7014659254605872D6BE3F8F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098474Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:47.284{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098473Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:47.284{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098472Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:47.089{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6071B786C4DF87FF50DBB71F53A417,SHA256=A55B44F0666FB0250AA796214FAD8D6F4A28AF271180ED18A2580A13BAEA9C20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098494Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.844{0F0CAB0C-2B34-6034-420E-00000000AD01}65446020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098493Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.691{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B34-6034-420E-00000000AD01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098492Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.689{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098491Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.689{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098490Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.689{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098489Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.688{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098488Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.688{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2B34-6034-420E-00000000AD01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098487Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.688{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B34-6034-420E-00000000AD01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098486Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.686{0F0CAB0C-2B34-6034-420E-00000000AD01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098485Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.285{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098484Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.285{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098483Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.103{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B911B5C3BBD1835D3B93B210F37F6AD1,SHA256=AF7E5177D1FD94FB90925247D51890C79508AF603EA667647043112E2842D69D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098482Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.020{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B34-6034-410E-00000000AD01}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098481Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.019{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098480Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.019{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098479Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.018{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098478Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.018{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098477Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.018{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2B34-6034-410E-00000000AD01}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098476Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.018{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B34-6034-410E-00000000AD01}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098475Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.015{0F0CAB0C-2B34-6034-410E-00000000AD01}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000098518Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.201{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50213-false10.0.1.12-8000- 23542300x800000000000000098517Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.573{0F0CAB0C-E51D-6033-1100-00000000AD01}1196NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C2D4937DE316D48B8DDFE205BE5ED850,SHA256=3EDE568B5AEF2E0F0FAC4357F9E947E43B97DE772397F8E52851A026CCE1013B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098516Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.372{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B35-6034-440E-00000000AD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098515Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.370{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098514Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.370{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098513Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.370{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098512Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.370{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098511Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.370{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2B35-6034-440E-00000000AD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098510Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.370{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B35-6034-440E-00000000AD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098509Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.368{0F0CAB0C-2B35-6034-440E-00000000AD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098508Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.286{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098507Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.286{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x800000000000000098506Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-CreatePipe2021-02-22 22:07:49.250{0F0CAB0C-2B35-6034-430E-00000000AD01}7664\MSSE-6926-serverC:\Users\Administrator\Desktop\beacon.exe 10341000x800000000000000098505Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.247{0F0CAB0C-E51D-6033-1400-00000000AD01}13046556C:\Windows\System32\svchost.exe{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098504Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.247{0F0CAB0C-E51D-6033-1400-00000000AD01}13046220C:\Windows\System32\svchost.exe{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098503Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E51D-6033-1400-00000000AD01}13046220C:\Windows\System32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098502Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098501Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098500Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098499Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E5F8-6033-EF00-00000000AD01}50124224C:\Windows\system32\csrss.exe{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098498Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098497Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E666-6033-1101-00000000AD01}24685124C:\Windows\Explorer.EXE{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8e7a1|C:\Windows\System32\SHELL32.dll+8d606|C:\Windows\System32\SHELL32.dll+ce551|C:\Windows\System32\SHELL32.dll+b475e|C:\Windows\System32\SHELL32.dll+18cf0c|C:\Windows\System32\SHELL32.dll+18cc63|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098496Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.243{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe-----"C:\Users\Administrator\Desktop\beacon.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{0F0CAB0C-E664-6033-7D1A-140000000000}0x141a7d3HighMD5=3F6E8199D369E1A5CF431FC20FA45569,SHA256=5F3560BA8B3B64858A3ACA88B03129F7C80BCCCD34386C64EC1E7AF09872E8CD,IMPHASH=17B461A082950FC6332228572138B80C{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000098495Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.116{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA31720E169467EDB1FCAD2CD82DC399,SHA256=668228F1BDB718B5D956C019FAA93AAC3D3B9EB03793B3E52E3ABB4C2534038F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098524Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:50.287{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098523Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:50.287{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098522Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:50.281{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098521Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:50.281{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x800000000000000098520Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-ConnectPipe2021-02-22 22:07:50.275{0F0CAB0C-2B35-6034-430E-00000000AD01}7664\MSSE-6926-serverC:\Users\Administrator\Desktop\beacon.exe 23542300x800000000000000098519Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:50.138{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB050D6EB305D8D78BCCDF3D8321B41,SHA256=758BA7FA3A4F8FA8B252627EA30266065B0431096BA56C899729DD8C8F35B96C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098536Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.517{0F0CAB0C-2B37-6034-450E-00000000AD01}77164432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098535Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.360{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B37-6034-450E-00000000AD01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098534Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.358{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098533Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.358{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098532Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.357{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098531Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.357{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098530Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.357{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2B37-6034-450E-00000000AD01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098529Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.357{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B37-6034-450E-00000000AD01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098528Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.355{0F0CAB0C-2B37-6034-450E-00000000AD01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098527Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.287{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098526Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.287{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098525Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.146{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C46E834455A984ADCBF7B0AB6027FB,SHA256=2DFDFD2ED22303222753CF3A2716CBE487AF17A4EE648A29125EFE5CA198A1AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098557Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.695{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B38-6034-470E-00000000AD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098556Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.693{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098555Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.693{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098554Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.692{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098553Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.692{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098552Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.692{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2B38-6034-470E-00000000AD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098551Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.692{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B38-6034-470E-00000000AD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098550Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.690{0F0CAB0C-2B38-6034-470E-00000000AD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x800000000000000098549Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:50.283{0F0CAB0C-2B35-6034-430E-00000000AD01}7664win-dc-11010.0.1.14;C:\Users\Administrator\Desktop\beacon.exe 10341000x800000000000000098548Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.288{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098547Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.288{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098546Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.175{0F0CAB0C-2B38-6034-460E-00000000AD01}27243748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098545Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.160{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E52E11B7FF43652D4FF802BC7548BE,SHA256=818567EB08B4B488FAFD216046D8EDB5B90BE4DF55DBF567FE37C5F0C6614A0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098544Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.025{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B38-6034-460E-00000000AD01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098543Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.024{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098542Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.024{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098541Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.023{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098540Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.023{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098539Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.023{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2B38-6034-460E-00000000AD01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098538Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.023{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B38-6034-460E-00000000AD01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098537Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.021{0F0CAB0C-2B38-6034-460E-00000000AD01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098569Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.521{0F0CAB0C-2B39-6034-480E-00000000AD01}70246048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098568Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.361{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B39-6034-480E-00000000AD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098567Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.360{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098566Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.360{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098565Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.359{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098564Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.359{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098563Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.359{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2B39-6034-480E-00000000AD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098562Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.359{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B39-6034-480E-00000000AD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098561Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.357{0F0CAB0C-2B39-6034-480E-00000000AD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098560Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.288{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098559Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.288{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098558Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.167{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150321C7E810C388C6B9426536016691,SHA256=57B9333C70F013989CF7ECFE45CC973F9D83F308718E6A4AA5BE320AA8821F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098573Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:54.731{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio9491242089805566256.tmpMD5=275D85FC45D5242251F92298A81249E2,SHA256=397CB8C6B627C9BA37360DF88A3662D7EE596A741A8B01A65486B196DA211BFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098572Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:54.289{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098571Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:54.289{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098570Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:54.175{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B675F3DA9342261C3D8F04FAA7F870D9,SHA256=03C4F755B0E2F68DD11FA4027EB7CF5A267B5C0E846DB95BDD0BCB9084936D80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098577Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:54.074{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50214-false10.0.1.12-8000- 10341000x800000000000000098576Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:55.290{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098575Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:55.290{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098574Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:55.186{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0C65629E6C9D42EC69651E2A90D2DE,SHA256=1E3BACB2834610B91B0245CDE383F517D2E7738E66FE5FCBA4C1CBF92D447C0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098580Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:56.291{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098579Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:56.291{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098578Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:56.193{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6FC17BEF49FCD089F152245A07A61D,SHA256=89548971C99F015FC843C98F11922864194A0F4CF1CFD695ADF8A15778E1B0E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098583Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:57.292{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098582Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:57.292{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098581Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:57.197{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD863B5F6381252AFBF18B472F10CBE,SHA256=B9CDDA23AC30B5ED7F92DAE0428B19E98C4E18E04E027ED7E5CDA35C58010B11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098593Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.616{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098592Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.616{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098591Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.616{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098590Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.613{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098589Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.613{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098588Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.613{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098587Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.613{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098586Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.293{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098585Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.293{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098584Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.211{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D050A89008048DBBE8E540150EF2E5,SHA256=1E12D47D84D88EB98B4829AB8B1860626DD3721E9E5B2E32B60CB7B199063DB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098596Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:59.294{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098595Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:59.294{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098594Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:59.225{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E880D88C24BB90D77DD5EFF2E679629,SHA256=4C587105B5C554BC35A4C96D491A22F51B08EE1355FDA9C4075547D19B428467,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098600Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:59.194{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50215-false10.0.1.12-8000- 10341000x800000000000000098599Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:00.295{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098598Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:00.295{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098597Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:00.241{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A4B0017D3665AA2D0F754374089C05,SHA256=D8D0F04105E9B56837A139AE5684E7CAC53C92B286B9A298DABD1EFEF07D4775,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098603Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:01.295{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098602Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:01.295{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098601Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:01.248{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5FFD67C812D610211439B1067A03A9,SHA256=59DF6A77D15276433310F0ACB1481E53C26B8C75F2D56EB18149EECFD9941026,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098606Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:02.296{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098605Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:02.296{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098604Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:02.253{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9C3D15EF81801628E86E23142288CB,SHA256=C388B4313E6A305689E9C96F33C2E288D8A3D0D16A750BC75EFF3E1183EB9A07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098609Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:03.297{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098608Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:03.297{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098607Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:03.264{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B1B57EB33DC1E6CC6E5C6BCFEEFA87,SHA256=917E049925AF66BFE6F9A548A1BC9E6120140043E1E29309B1177CAD252BE934,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098612Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:04.298{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098611Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:04.298{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098610Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:04.271{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD31909CF1D3A3A3FAF1BCE60E0CC985,SHA256=D9D383BC52ACF6AD8DF424ABCF50344A989F414874D32AC73676291A9EF7B3A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098626Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.299{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098625Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.299{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098624Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.283{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4053AD6E4E3D0F328B3852A55E66E713,SHA256=F4797A01E1FC7597EEF81ED4CD92FC0179664ABB2D2E16A417F042361211A676,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000098623Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-CreatePipe2021-02-22 22:08:05.179{0F0CAB0C-2B45-6034-490E-00000000AD01}4372\MSSE-3067-serverC:\Users\Administrator\Desktop\beacon.exe 10341000x800000000000000098622Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.176{0F0CAB0C-E51D-6033-1400-00000000AD01}13046556C:\Windows\System32\svchost.exe{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098621Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.175{0F0CAB0C-E51D-6033-1400-00000000AD01}13046220C:\Windows\System32\svchost.exe{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098620Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.175{0F0CAB0C-E51D-6033-1400-00000000AD01}13046220C:\Windows\System32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098619Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.175{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098618Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.175{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098617Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.174{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098616Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.174{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098615Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.174{0F0CAB0C-E5F8-6033-EF00-00000000AD01}50125704C:\Windows\system32\csrss.exe{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098614Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.174{0F0CAB0C-E666-6033-1101-00000000AD01}24687808C:\Windows\Explorer.EXE{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8e7a1|C:\Windows\System32\SHELL32.dll+8d606|C:\Windows\System32\SHELL32.dll+ce551|C:\Windows\System32\SHELL32.dll+b475e|C:\Windows\System32\SHELL32.dll+18cf0c|C:\Windows\System32\SHELL32.dll+18cc63|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098613Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.173{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe-----"C:\Users\Administrator\Desktop\beacon.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{0F0CAB0C-E664-6033-7D1A-140000000000}0x141a7d3HighMD5=3F6E8199D369E1A5CF431FC20FA45569,SHA256=5F3560BA8B3B64858A3ACA88B03129F7C80BCCCD34386C64EC1E7AF09872E8CD,IMPHASH=17B461A082950FC6332228572138B80C{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x800000000000000098633Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.067{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50216-false10.0.1.12-8000- 10341000x800000000000000098632Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:06.300{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098631Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:06.300{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098630Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:06.288{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F9D5558FFA57BFF4498B686EFE6459,SHA256=5FEF93EE7A781385169C9309A78322DE6DC0E629ABA393AE8B447763E4D19392,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098629Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:06.210{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098628Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:06.210{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x800000000000000098627Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-ConnectPipe2021-02-22 22:08:06.205{0F0CAB0C-2B45-6034-490E-00000000AD01}4372\MSSE-3067-serverC:\Users\Administrator\Desktop\beacon.exe 10341000x800000000000000098636Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:07.300{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098635Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:07.300{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098634Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:07.296{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F8CBE19C527A76C875B824E593ED58,SHA256=6FADF5738C3B4D24E97A512012DAA5DFF2AEFF466EF07D1798422429AD35D0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098641Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:08.971{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=455D9CA4E02913586B39C34BFD825885,SHA256=A9539C1CACDBE4792ABC4DE09B397C051E9241F918AC25A511FB6605464F4AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098640Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:08.302{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CEA5FD273BFD234BEF3E2488E537C4,SHA256=46A260A9F02B3B83EF9B8F687571A0848FF58EE5DEEC6F1F44DA6B9FF0E15180,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098639Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:08.301{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098638Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:08.301{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x800000000000000098637Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:06.213{0F0CAB0C-2B45-6034-490E-00000000AD01}4372win-dc-11010.0.1.14;C:\Users\Administrator\Desktop\beacon.exe 23542300x800000000000000098644Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:09.308{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6B4C0EC23CA06E9B219E79868F2B99,SHA256=82EF94481C5A78F6ED0D5B028E6EC2DEB37531452EC004358B1047CC9870AD35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098643Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:09.302{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098642Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:09.302{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098655Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:08.938{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50217-false10.0.1.12-8089- 23542300x800000000000000098654Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.319{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EF9CA31204F7B41FE9F0ABC5BA1FE3,SHA256=B67D28960926B58DD03D47DADCC1DC000C04240B0ADFBE37BD0AA140DD05F257,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098653Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.303{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098652Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.303{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098651Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.296{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098650Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.295{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098649Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.295{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098648Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.294{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098647Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.293{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098646Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.293{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098645Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.293{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098659Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.189{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50218-false10.0.1.12-8000- 23542300x800000000000000098658Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:11.340{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2BB4BC8FE5FF4792D8B053511E54D8,SHA256=0DEBB57C70DD5C8711E2D7374D5B5095B3C9F292E38B415B26929F9E43B4CDAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098657Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:11.304{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098656Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:11.304{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098662Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:12.344{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4ECFE7E2AD3253403939C1B6A9D673,SHA256=F2D3542B664F8BEB9464B3296A2D2FD74F5B3450BA00EDB5622F1E43169A69F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098661Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:12.304{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098660Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:12.304{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098665Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:13.349{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFE495D792E102C8D7BA51985CD7C2B,SHA256=B2AD0168033CCFAA2EBDD4B802BB0451F957F01064DFC2BDC0EBF126474B3B71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098664Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:13.305{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098663Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:13.305{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098668Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:14.354{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D929629968CBEA518CB031B8D2E4DD,SHA256=A2DE04596CC996D0456AF9DBEC165A40484B4B256BF2077CBBC588A42A04745C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098667Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:14.306{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098666Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:14.306{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098682Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.371{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6808177F3C07727D2B7383A36A0BD846,SHA256=ACCC9CE54A82A0081E21841C9FD4BE2CF65931E58790BCE427095887DA706579,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098681Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.307{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098680Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.307{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x800000000000000098679Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-CreatePipe2021-02-22 22:08:15.104{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196\MSSE-3091-serverC:\Users\Administrator\Desktop\artifact.exe 10341000x800000000000000098678Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.101{0F0CAB0C-E51D-6033-1400-00000000AD01}13046556C:\Windows\System32\svchost.exe{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098677Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.100{0F0CAB0C-E51D-6033-1400-00000000AD01}13046220C:\Windows\System32\svchost.exe{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098676Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.100{0F0CAB0C-E51D-6033-1400-00000000AD01}13046220C:\Windows\System32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098675Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.100{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098674Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.099{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098673Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.099{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098672Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.099{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098671Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.099{0F0CAB0C-E5F8-6033-EF00-00000000AD01}50127692C:\Windows\system32\csrss.exe{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098670Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.099{0F0CAB0C-E666-6033-1101-00000000AD01}24684352C:\Windows\Explorer.EXE{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8e7a1|C:\Windows\System32\SHELL32.dll+8d606|C:\Windows\System32\SHELL32.dll+ce551|C:\Windows\System32\SHELL32.dll+b475e|C:\Windows\System32\SHELL32.dll+18cf0c|C:\Windows\System32\SHELL32.dll+18cc63|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098669Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:15.098{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exe-----"C:\Users\Administrator\Desktop\artifact.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{0F0CAB0C-E664-6033-7D1A-140000000000}0x141a7d3HighMD5=4C46B3789A0935140924CF1D1344A307,SHA256=3C7F5F7BFB56917B4BA037FA9C0571DD5224895D4D69EC053C8BB8EAE9BCAC75,IMPHASH=17B461A082950FC6332228572138B80C{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000098689Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:16.382{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B672AEFB8ADBF1D345BEF718C1D2B9BA,SHA256=023E4023939D096C15E662FF5FC79B8AB3B99096E815C0A7F457C9CF20AA54F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098688Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:16.308{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098687Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:16.308{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098686Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:16.147{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E51D-6033-1000-00000000AD01}1136C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098685Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:16.135{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098684Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:16.134{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x800000000000000098683Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-ConnectPipe2021-02-22 22:08:16.129{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196\MSSE-3091-serverC:\Users\Administrator\Desktop\artifact.exe 354300x800000000000000098695Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:16.185{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local50221-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x800000000000000098694Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:16.139{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local50220-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x800000000000000098693Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:16.065{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50219-false10.0.1.12-8000- 23542300x800000000000000098692Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:17.388{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BD5A0AB95E802ECD4E7CC7AD2465B3,SHA256=374DFFD197D3694C1EEBC630C0FE87FBCA88820156B26B59B0D412A15E250746,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098691Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:17.309{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098690Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:17.309{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098699Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:18.398{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC353C288C3A4A2AC54371430C193950,SHA256=057F8EAFCC32A97E5D5925D129021B25EC7E5EB234591DEFA4F2A2C5A863F640,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098698Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:18.310{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098697Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:18.310{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x800000000000000098696Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:16.198{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196win-dc-11010.0.1.14;C:\Users\Administrator\Desktop\artifact.exe 354300x800000000000000098713Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:18.882{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local50222-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 354300x800000000000000098712Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:18.882{0F0CAB0C-E52D-6033-3100-00000000AD01}2316C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local50222-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 23542300x800000000000000098711Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:19.914{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9D94D8B56C4F85DE38AFCDCC83166E5,SHA256=35F30AAE122E33EBF2B2468A2EF1DC6A7445464D783663EFDA29C4EB28277C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098710Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:19.913{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D3D57D003E3A1A6C14804A9BA88B862,SHA256=6B64339B65A08E77522704B7107E57A6B5902A5FC49229F28415228D0D1E93F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098709Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:19.404{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CF24E6EE7243168B53EBDFA4770E1A,SHA256=7C2DEDF690A1CD91EE3E381A8200DC6FD0DEDF856BC5B3196A66611A52C829BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098708Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:19.311{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098707Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:19.311{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098706Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:19.162{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098705Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:19.162{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098704Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:19.162{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098703Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:19.160{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098702Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:19.159{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098701Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:19.159{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098700Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:19.159{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098716Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:20.415{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D0DD440617E2899B71FFCF31E31B12,SHA256=73D0494EC5A84B57B48071137A986C6CCC1570F92C0756D81BA749B5B3E324DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098715Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:20.312{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098714Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:20.312{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098719Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:21.424{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494AED9792B481A190F6CE82FD196F17,SHA256=55A111E51B929EA559077640E021EE23FECCDF1474A18EF1FB01F142F393C8CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098718Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:21.312{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098717Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:21.312{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098722Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:22.433{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A6DE1F0EFA358ED3ED2CD62A6583E7,SHA256=2634E640C573F0B6E0C6BB9C180B5F5F6D844AA9CA50F30730A830157298CE17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098721Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:22.313{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098720Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:22.313{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098726Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:23.441{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FE30C3BE209190E19E2C84284B0C00,SHA256=C23A834FA0A11D58A19C3DEDF36C6AE1A2583FFDD3B03087ED3DDEA5D64BDCAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098725Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:23.314{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098724Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:23.314{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098723Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:21.198{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50223-false10.0.1.12-8000- 23542300x800000000000000098729Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:24.449{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A43E9DBB010270EEFB4819E0CDF732,SHA256=2C652AF6F26A7986380DE8F57166CAF1C5FEC922F5C0D5FC749D6B3CFF599DF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098728Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:24.314{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098727Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:24.314{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098732Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:25.460{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C0D18EAA60C348F3DD01A4FD104E46,SHA256=8E0561486BC079447E2E13E1ABAC84973B6E54B57EE30EDCFB5266FC3DCAFD3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098731Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:25.315{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098730Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:25.315{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098743Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:26.466{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818261094E78FB9ACC89F260A1119FF8,SHA256=59D4BBF954AFB85B1896A35AA4C1FF6F19891133225BF628422B5651A22C0061,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098742Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:26.316{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098741Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:26.316{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098740Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:26.040{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098739Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:26.040{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098738Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:26.040{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098737Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:26.037{0F0CAB0C-E666-6033-1101-00000000AD01}24685316C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098736Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:26.036{0F0CAB0C-E666-6033-1101-00000000AD01}24685316C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098735Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:26.036{0F0CAB0C-E666-6033-1101-00000000AD01}24685316C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098734Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:26.036{0F0CAB0C-E666-6033-1101-00000000AD01}24685316C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098733Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:26.027{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio14881350403563792640.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098746Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:27.473{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA03FCEA59602F614140962253D74FCE,SHA256=91C9ADEC517DE3C29135B240A5CA41A2ADFE0379C2E1877704E1EC69C1817BE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098745Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:27.317{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098744Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:27.317{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098749Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:28.484{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651988093298F68FBB4BF5B549DF8976,SHA256=ACBC019F88D94BC078131DB0FD2FFCD4F1B5130DAC39CF4455EE65E17FE46C1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098748Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:28.317{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098747Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:28.317{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098753Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:29.489{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0A2FB96294919D09B94B299C698E5C,SHA256=83BB775C09249BE1D264256FC15FB5A87C333B5CBB1E171A455F213B2B37D869,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098752Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:29.318{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098751Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:29.318{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098750Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:27.081{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50224-false10.0.1.12-8000- 23542300x800000000000000098759Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:30.493{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC36A9927D49EABB5CE78D121C4A32E,SHA256=3278D02FEBA8FA6E34CBB8C47D6EC1FE59742B5679DB7CDC36594CB65A360D66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098758Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:30.319{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098757Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:30.319{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098756Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:30.300{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098755Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:30.299{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098754Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:30.299{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098762Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:31.503{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0234D791F3AA2F2A7AD9B3D8146C1B,SHA256=449E0918996DB7C59281626C5AC60B119AEE65753EAAE1C7ED904813F397EB9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098761Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:31.320{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098760Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:31.320{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098765Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:32.507{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03961CFCCFDCED8772514254D725269C,SHA256=0AF03CF9CBA04993E0367BDB91EB5C88283A4181E0E841EE602F720BAC747373,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098764Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:32.321{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098763Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:32.321{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098768Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:33.522{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B99D4233BE16B94FCD902815E3A7DD,SHA256=59670C51BB498423E92791594682A9068E1B5156CB0613AED4EE8B34B6426754,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098767Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:33.322{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098766Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:33.322{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098771Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:34.537{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FEA0145596E75721A7E0CC8C9B42303,SHA256=B246C0D36FD2DAD79567E739F785FE247362CDC0D0A2012147D52CF3850B2C0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098770Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:34.323{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098769Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:34.323{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098775Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:35.549{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EA28A945CF4A34665F7D07A4D3CC20,SHA256=A3E7D12A3DE4E60FCA3FB0539FB4945AEA1C85BA509FEF794F9E857BF3E11C02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098774Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:35.324{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098773Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:35.324{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098772Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:32.991{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50225-false10.0.1.12-8000- 23542300x800000000000000098778Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:36.552{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1C5B5C1B1A63E314509D5CB502862B,SHA256=737B78FA5AEFF7D29772CC059FDECC06E8E6D820637426B334603F7BFF4B1452,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098777Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:36.325{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098776Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:36.325{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098781Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:37.562{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851328231F8132ABA9E3886311001F20,SHA256=92E5CDB1DEEB8B695C59C5C1690EEF85D1B0732CCFA6476772B84A17E410A8BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098780Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:37.326{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098779Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:37.326{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098784Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:38.572{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB1EE1234F0682896EB5564F94E20DC,SHA256=831988F6ECFF3E4054056B19F795F8FA1748EA254CC654D3702164AD1025AF8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098783Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:38.327{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098782Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:38.327{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098787Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:39.589{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B8E430817AE90CCF805C504E88825A,SHA256=D4DAF0D8B20606D543D561D7FE97C0C70538D6779A171C9EF10A2090D524BFC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098786Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:39.328{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098785Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:39.328{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098791Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:40.594{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C340F32308EEC9C26C5C4F6595FE474,SHA256=37FA331C5962DE779517F34A23EC8AD2BAAD39C94A838051F866032E09F02235,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098790Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:40.329{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098789Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:40.329{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098788Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:38.122{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50226-false10.0.1.12-8000- 23542300x800000000000000098794Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:41.600{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B30FB55A6FBC56A3A38350EAC72022,SHA256=39D87F4FD376574E0FDD2550867531DF78373FE4D0EBDC286D52031C33918F42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098793Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:41.330{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098792Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:41.330{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098797Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:42.614{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF210C6C117BB2BAF4F637ED01859B57,SHA256=BF82FE936036E3C174D0E75D1A7B8F4212FDF7D70D31CBBDCE44698016C7B474,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098796Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:42.331{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098795Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:42.331{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098800Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:43.621{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A39D2644D41CE9F12FC4CD398C1BEDF,SHA256=75E0C6A854D1F2ABB4965F56B9773862DBBD7C533330AA4B5BDB51B8BB4CFACF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098799Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:43.332{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098798Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:43.332{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098804Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:44.628{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EFFD468A879DAEDF92BAB5157F5F29,SHA256=26EDBA584DF57FEFA0D9001D665BE87F4641EC9ABE07E02962F2981FE91C0410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098803Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:44.333{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098802Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:44.333{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098801Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:44.029{0F0CAB0C-E51B-6033-0B00-00000000AD01}8561020C:\Windows\system32\lsass.exe{0F0CAB0C-E519-6033-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000098814Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:45.636{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1D0A20C8773CF20CAAC240F0320857,SHA256=05471EF9468176D68C60474E391DEA83EA195E96D7C9DCB53199289A4057A47B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098813Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:45.625{0F0CAB0C-E51D-6033-1000-00000000AD01}11366436C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2800-00000000AD01}2664C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098812Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:45.625{0F0CAB0C-E51D-6033-1000-00000000AD01}11366436C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2800-00000000AD01}2664C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098811Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:45.334{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098810Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:45.334{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098809Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:44.009{0F0CAB0C-E519-6033-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local50228-truefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local445microsoft-ds 354300x800000000000000098808Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:44.009{0F0CAB0C-E519-6033-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local50228-truefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local445microsoft-ds 354300x800000000000000098807Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:44.002{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50227-false10.0.1.12-8000- 23542300x800000000000000098806Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:45.043{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=501B9FB94961E5D98A619AB691B72B2E,SHA256=874F3DA7585421F4B660A5CFFBDA739E35E41135E57A4609BFA197D541EC6C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098805Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:45.042{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9D94D8B56C4F85DE38AFCDCC83166E5,SHA256=35F30AAE122E33EBF2B2468A2EF1DC6A7445464D783663EFDA29C4EB28277C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098829Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:46.645{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10D18A0029D6F8613767673921B5F3D,SHA256=23CEBFFBC3002426AF0006EDA2A07457BD2E231C3DEDCC1137E0FD1FAEEAF154,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098828Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:46.335{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098827Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:46.335{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x800000000000000098826Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:46.208{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000098825Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:46.208{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000098824Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:46.208{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\AddressTypeDWORD (0x00000000) 13241300x800000000000000098823Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:46.208{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseTerminatesTimeDWORD (0x6034397e) 13241300x800000000000000098822Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:46.208{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T2DWORD (0x603437bc) 13241300x800000000000000098821Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:46.207{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T1DWORD (0x60343276) 13241300x800000000000000098820Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:46.207{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseObtainedTimeDWORD (0x60342b6e) 13241300x800000000000000098819Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:46.207{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseDWORD (0x00000e10) 13241300x800000000000000098818Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:46.207{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpServer10.0.1.1 13241300x800000000000000098817Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:46.207{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpSubnetMask255.255.255.0 13241300x800000000000000098816Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:46.207{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpIPAddress10.0.1.14 13241300x800000000000000098815Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:46.207{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpInterfaceOptionsBinary Data 10341000x800000000000000098864Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.336{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098863Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.336{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098862Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.025{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098861Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.025{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098860Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.025{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098859Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098858Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098857Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098856Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098855Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098854Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098853Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098852Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098851Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098850Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098849Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098848Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098847Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098846Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098845Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098844Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098843Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098842Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098841Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.024{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098840Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.023{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098839Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.023{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098838Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.023{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098837Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.023{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098836Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.023{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098835Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.023{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098834Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.023{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098833Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.023{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098832Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.023{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098831Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.023{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098830Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:47.023{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098904Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.689{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B70-6034-4C0E-00000000AD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098903Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.687{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098902Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.687{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098901Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.686{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098900Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.686{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098899Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.686{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2B70-6034-4C0E-00000000AD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098898Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.686{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B70-6034-4C0E-00000000AD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098897Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.685{0F0CAB0C-2B70-6034-4C0E-00000000AD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098896Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.337{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098895Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.337{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098894Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:46.415{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-11.attackrange.local63396-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x800000000000000098893Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:46.414{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local53338- 354300x800000000000000098892Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:46.414{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local53338-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local53domain 354300x800000000000000098891Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:46.194{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:d1f9:83f9:c860:d648:59c:ffff-51480-truee000:fc:c0c3:4c8b:5108:6641:833a:5c75-5355llmnr 354300x800000000000000098890Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:46.194{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local51480-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000098889Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:46.188{0F0CAB0C-E51D-6033-1100-00000000AD01}1196C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-11.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 13241300x800000000000000098888Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.226{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000098887Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.226{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000098886Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.226{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000098885Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.226{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x800000000000000098884Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.226{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x800000000000000098883Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.226{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x800000000000000098882Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.226{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x800000000000000098881Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.226{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x800000000000000098880Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.226{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x800000000000000098879Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.226{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x800000000000000098878Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.225{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x800000000000000098877Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.225{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-11 10341000x800000000000000098876Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.217{0F0CAB0C-E51B-6033-0B00-00000000AD01}8561020C:\Windows\system32\lsass.exe{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000098875Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:08:48.214{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x800000000000000098874Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.190{0F0CAB0C-2B70-6034-4B0E-00000000AD01}67606376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098873Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.158{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C9E08F9F22A330FB87DD6F7815CE8D,SHA256=6E8F65B29CFC06567C51EB8A320CFCEA84D26EE6992F38F8F708DE93A458D633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098872Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.022{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B70-6034-4B0E-00000000AD01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098871Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.020{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098870Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.020{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098869Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.019{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098868Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.019{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098867Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.019{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2B70-6034-4B0E-00000000AD01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098866Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.019{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B70-6034-4B0E-00000000AD01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098865Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.017{0F0CAB0C-2B70-6034-4B0E-00000000AD01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098917Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.575{0F0CAB0C-E51D-6033-1100-00000000AD01}1196NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DFA05A9E35E73C52EDE181B283C57D1F,SHA256=93599D48D1CECBF161B3481B1D1DF670244525F667D307B1BF417AC4B6E74AC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098916Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.338{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098915Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.338{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098914Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.242{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=501B9FB94961E5D98A619AB691B72B2E,SHA256=874F3DA7585421F4B660A5CFFBDA739E35E41135E57A4609BFA197D541EC6C36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098913Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.185{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B71-6034-4D0E-00000000AD01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098912Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.183{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098911Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.183{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098910Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.183{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098909Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.183{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098908Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.183{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2B71-6034-4D0E-00000000AD01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098907Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.182{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B71-6034-4D0E-00000000AD01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098906Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.182{0F0CAB0C-2B71-6034-4D0E-00000000AD01}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098905Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.180{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246BE63003E298572411DBB4E75AB550,SHA256=62C3F55C1C6B623B1DDD00E5D11240E5DCD645932C7711725CAFE1712BDF7D37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098932Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:50.339{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098931Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:50.339{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098930Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.209{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-11.attackrange.local53domainfalse10.0.1.14win-dc-11.attackrange.local54649- 354300x800000000000000098929Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.208{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-11.attackrange.local53domainfalse10.0.1.14win-dc-11.attackrange.local53428- 354300x800000000000000098928Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.208{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local52332- 354300x800000000000000098927Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.207{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local56563- 354300x800000000000000098926Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.207{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local52691- 354300x800000000000000098925Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.201{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local60653-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 354300x800000000000000098924Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.201{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local60653-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 354300x800000000000000098923Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.200{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-11.attackrange.local53domainfalse10.0.1.14win-dc-11.attackrange.local65535- 354300x800000000000000098922Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.199{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-11.attackrange.local60652-false10.0.1.14win-dc-11.attackrange.local53domain 354300x800000000000000098921Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.199{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-11.attackrange.local60652-false10.0.1.14win-dc-11.attackrange.local53domain 354300x800000000000000098920Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.198{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-11.attackrange.local53domainfalse10.0.1.14win-dc-11.attackrange.local53242- 354300x800000000000000098919Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:48.198{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-11.attackrange.local53242-false10.0.1.14win-dc-11.attackrange.local53domain 23542300x800000000000000098918Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:50.198{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C5B5F557E9A1D07BC2484840126ED0,SHA256=B7596500D8B87708F8E0F6095BA29ADF20B924C3E9C4E44A4A0D7AD60A372923,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098953Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.967{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B73-6034-4F0E-00000000AD01}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098952Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.965{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098951Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.965{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098950Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.965{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098949Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.964{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098948Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.964{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2B73-6034-4F0E-00000000AD01}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098947Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.964{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B73-6034-4F0E-00000000AD01}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098946Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.963{0F0CAB0C-2B73-6034-4F0E-00000000AD01}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098945Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.457{0F0CAB0C-2B73-6034-4E0E-00000000AD01}32005800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098944Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.340{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098943Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.340{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000098942Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:49.119{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60654-false10.0.1.12-8000- 10341000x800000000000000098941Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.299{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B73-6034-4E0E-00000000AD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098940Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.297{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098939Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.297{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098938Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.297{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098937Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.297{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098936Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.297{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2B73-6034-4E0E-00000000AD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098935Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.297{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B73-6034-4E0E-00000000AD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098934Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.296{0F0CAB0C-2B73-6034-4E0E-00000000AD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098933Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:51.208{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D9B82F34F2C55985CA5C81C821BAF1,SHA256=8A439B3F2C4749AA0AD86020531E54F0B1CDFF7246D29338F43A97192A3A7214,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098966Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.799{0F0CAB0C-2B74-6034-500E-00000000AD01}30046660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098965Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.634{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B74-6034-500E-00000000AD01}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098964Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.632{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098963Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.632{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098962Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.632{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098961Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.631{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098960Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.631{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2B74-6034-500E-00000000AD01}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098959Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.631{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B74-6034-500E-00000000AD01}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098958Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.630{0F0CAB0C-2B74-6034-500E-00000000AD01}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098957Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.340{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098956Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.340{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098955Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.219{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B2EA8618FFF15436739DB82497910D,SHA256=F6C16885CC8B41015E0800E4C1B0B7285FC0D4E1B1090DC78088AF3EA7359635,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098954Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:52.123{0F0CAB0C-2B73-6034-4F0E-00000000AD01}57166524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098977Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:53.341{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098976Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:53.341{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098975Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:53.302{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B75-6034-510E-00000000AD01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098974Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:53.300{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098973Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:53.300{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098972Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:53.300{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098971Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:53.299{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098970Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:53.299{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2B75-6034-510E-00000000AD01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000098969Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:53.299{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B75-6034-510E-00000000AD01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000098968Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:53.298{0F0CAB0C-2B75-6034-510E-00000000AD01}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098967Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:53.235{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36570969B2173938EF0A8A61DB8B500,SHA256=38884DE2023D21A818C1343A666D044800AD286D358BE66FB9061F3B231FE6CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098980Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:54.341{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098979Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:54.341{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098978Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:54.252{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE52A6C4389DC73A1F7CF5FEBDDCDA8,SHA256=416D86613E4A4CF440F6A2D034085822529FCA931E7A0D23B37ED052B9E0145D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098985Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:55.748{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A852D2D4FE418BE6D3994A98205A239,SHA256=46A219D08C53F04BEE3FF6CCC1213FE58C521F6BC2D1A3594C8EF3B8B7ECFBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098984Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:55.747{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B32279D75543F97AD4AC50716313FAAE,SHA256=D221EA5CB99482C8C613A806A1DD2C5F0A50F3102C42274CC960BC8DFC4A8EF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098983Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:55.342{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098982Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:55.342{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098981Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:55.258{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE36A70FA2FB76B03346146A735F2593,SHA256=C4468EBEF5E6CAF03E30090D0BD755B479707133A20B094DEBC594F6C1BB9787,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098988Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:56.343{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098987Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:56.343{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098986Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:56.270{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C83F076868E695AD12C45F5798DF2D,SHA256=4758F00C1072C118C4CC07AEDA2B7B60930CD4F6E7FBC603B9FF1E61A13472C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098992Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:55.012{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60655-false10.0.1.12-8000- 10341000x800000000000000098991Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:57.344{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098990Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:57.344{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098989Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:57.278{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3458D720F51378EA01382F20B938BD6D,SHA256=0CF4AA12CB10247967A7AB81039AD772B2C78CAC50214EBF36AA088850F6283C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098995Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:58.345{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098994Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:58.345{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098993Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:58.284{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E917FD4DC6DB5557BF943312A474BD50,SHA256=9BD3FEB311BFE7FF3EA260297D7A695503A65685164CDF2131642D3CF1C90EB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098998Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:59.346{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000098997Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:59.346{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098996Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:59.292{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38CB26335C8543BE1C2B24D7ACD451B,SHA256=0A0033AD43A8FB899328C3FBFA022160F4677C22CBFB55E48504B53AB1803322,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099001Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:00.347{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099000Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:00.347{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000098999Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:00.300{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67882E55FC53687F4A606641C644A2C,SHA256=FAD6EF481E89A86FB493A6973EBEE38C363E5F08876A0653D0FAA2AC015570F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099004Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:01.348{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099003Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:01.348{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099002Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:01.310{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F157D395C1300BF2DEF91EE19911D511,SHA256=BD595542178B6738BFEEDB9C5BC886DE6A7762CA9ED25A2D138956D0E0643B28,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099008Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:00.143{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60656-false10.0.1.12-8000- 10341000x800000000000000099007Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:02.349{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099006Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:02.349{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099005Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:02.325{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B6221AD64E4657012F662E872410A7,SHA256=71DAFE5D620DE086D08904F83197851A5096643B6E2AE6D6C1AAF62435413770,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099011Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:03.349{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099010Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:03.349{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099009Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:03.331{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8A6DE1E376597D811DD37E86AD3E61,SHA256=552AFC15F7E011ABAF90F9A8DE358C43B673D0A7C69B42AEDA1BC0BB2219E004,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099014Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:04.350{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099013Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:04.350{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099012Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:04.339{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1E6CA54FF694A57537BC3AC1C1F05B,SHA256=60AD67D83ADC31DA89C6208B938335D26750E53D33E3BB223104F41D21D60F24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099017Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:05.351{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099016Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:05.351{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099015Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:05.347{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B18B6EFADFF14FA45B0D459035A179F,SHA256=E4573B3E5DCC76C0F0B16E61B75F525D3A9D4D3B20AA70379B6AB2ADAE72C698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099020Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:06.356{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E58925BBAA647F512E3A89327C442F,SHA256=8A3BBA4A4A58896102CBE9ED2A821A11CD6CE7A976A4DCF6B3C601EE5B6522E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099019Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:06.351{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099018Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:06.351{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099024Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:06.020{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60657-false10.0.1.12-8000- 23542300x800000000000000099023Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:07.361{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1A4C66BFCC5EC714B18E381A13F35E,SHA256=7A02426E228A3625B602F1104D782354740FDE0DA32EFC73A45AB2F989D34514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099022Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:07.352{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099021Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:07.352{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099028Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:08.989{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=455D9CA4E02913586B39C34BFD825885,SHA256=A9539C1CACDBE4792ABC4DE09B397C051E9241F918AC25A511FB6605464F4AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099027Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:08.370{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE74B0696D0B043E09B6627E4CB39F6,SHA256=D7FC20C118A58E79677896ABAA3CD6D66A14F9C67BE60ACD5DC1C8BA3A57C928,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099026Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:08.353{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099025Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:08.353{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099031Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:09.385{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87559028DC8F77DBDCCB27D20AFA081E,SHA256=714532DE7AF971A38E1ED6C88AA463BAE3F34434423D6E7EE2B8ACB1B99A84BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099030Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:09.354{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099029Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:09.354{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099035Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:10.398{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49276745F0598BD8D6121487A1D87AB,SHA256=B28DCB41B50D0D159A336B819192CB3AD43AA83F08C43D32A006D44C58F4A2EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099034Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:08.956{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60658-false10.0.1.12-8089- 10341000x800000000000000099033Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:10.355{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099032Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:10.355{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099038Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:11.408{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8597C760C3C0D0AD074AAF7F2553029,SHA256=2B8F4D606A24D037C82670658A784ADBCEC5F709A648767477516A179799D6E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099037Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:11.356{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099036Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:11.356{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099042Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:12.418{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF786AE2BABDB131B62B792E4030EDE9,SHA256=3A281D8BCDBEFA8415A90B0D18B4675F6FB9E7162221232739A20F44F602CD62,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099041Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:11.144{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60659-false10.0.1.12-8000- 10341000x800000000000000099040Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:12.357{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099039Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:12.357{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099045Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:13.425{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C515B1B2151D3C3F76E59304E9A0CE6,SHA256=1831D6A7F382151F2E1BD660E19C799257198D0FACBE3C05072DB2B6DE589225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099044Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:13.358{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099043Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:13.358{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099061Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:14.818{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E51D-6033-1600-00000000AD01}1560C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099060Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:14.818{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E51D-6033-1600-00000000AD01}1560C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099059Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:14.818{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E51D-6033-1600-00000000AD01}1560C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x800000000000000099058Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:14.569{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000099057Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:14.569{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01133a50) 13241300x800000000000000099056Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:14.569{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7095e-0xf8d6088c) 13241300x800000000000000099055Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:14.569{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d70967-0x5a9a708c) 13241300x800000000000000099054Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:14.569{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7096f-0xbc5ed88c) 13241300x800000000000000099053Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:14.569{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000099052Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:14.569{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01133a50) 13241300x800000000000000099051Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:14.569{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7095e-0xf8d6088c) 13241300x800000000000000099050Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:14.569{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d70967-0x5a9a708c) 13241300x800000000000000099049Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:14.569{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7096f-0xbc5ed88c) 23542300x800000000000000099048Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:14.427{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F24D5ABB73808613D371D5D76F6109,SHA256=C4271C8CE01B89B9B64EB9DF4728D9960D3551AF9845F65FE2691806C8676C45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099047Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:14.359{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099046Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:14.359{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099065Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:15.446{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AC1A217E8F5A1B5CDC6733E341D89F,SHA256=6EF638259F93C22DCDAEF9356C96C5C38765103117D64234E2F20BDFD1A25FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099064Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:15.442{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7544CB78FA74874B61FE9DC53EC79D11,SHA256=A3D3C9E02CEDBBFD29239F0A2EFFD1CE9C5E630D881E025F80CA04FD68F91E56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099063Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:15.360{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099062Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:15.360{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099078Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.457{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D9A164A9EB6D335B460B0A50D2BC03,SHA256=350AB5295017BD693592A8AD6633D6FA71A56D7ECE7BFB1E7C29924219BC2C2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099077Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.361{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099076Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.361{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099075Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.348{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B8C-6034-520E-00000000AD01}3912C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099074Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.348{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B8C-6034-520E-00000000AD01}3912C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099073Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.237{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099072Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.237{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099071Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.237{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099070Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.237{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099069Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.236{0F0CAB0C-E5F8-6033-EF00-00000000AD01}50124104C:\Windows\system32\csrss.exe{0F0CAB0C-2B8C-6034-520E-00000000AD01}3912C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099068Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.236{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}51963760C:\Users\Administrator\Desktop\artifact.exe{0F0CAB0C-2B8C-6034-520E-00000000AD01}3912C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f7f6|C:\Windows\System32\KERNEL32.DLL+1bcc3|UNKNOWN(000000000094F8A9) 154100x800000000000000099067Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.236{0F0CAB0C-2B8C-6034-520E-00000000AD01}3912C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{0F0CAB0C-E664-6033-7D1A-140000000000}0x141a7d3HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exe"C:\Users\Administrator\Desktop\artifact.exe" 10341000x800000000000000099066Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.236{0F0CAB0C-E51D-6033-1400-00000000AD01}13046556C:\Windows\System32\svchost.exe{0F0CAB0C-2B8C-6034-520E-00000000AD01}3912C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099118Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.808{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio4968641735469190937.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099117Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.765{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio6536678782136733554.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099116Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.652{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio9143769226428029639.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099115Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.613{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio3338794097937990816.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099114Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.536{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099113Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.512{0F0CAB0C-2B8D-6034-540E-00000000AD01}29924264C:\Windows\system32\conhost.exe{0F0CAB0C-2B8D-6034-550E-00000000AD01}5692C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099112Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.510{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099111Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.510{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099110Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.510{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099109Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.510{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099108Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.510{0F0CAB0C-E5F8-6033-EF00-00000000AD01}50127704C:\Windows\system32\csrss.exe{0F0CAB0C-2B8D-6034-550E-00000000AD01}5692C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099107Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.509{0F0CAB0C-2B8D-6034-530E-00000000AD01}48724624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{0F0CAB0C-2B8D-6034-550E-00000000AD01}5692C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+880732a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+87514133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+87513e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+87fc5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+874d499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+87532e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+875164ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+875164ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+8751635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+875082e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+87514817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+875143b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+87514133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+87513e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+87fc5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+874fac65(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\dd36727cff7bcfbb59917492bccadad8\System.Management.Automation.ni.dll+874fa235(wow64) 154100x800000000000000099106Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.510{0F0CAB0C-2B8D-6034-550E-00000000AD01}5692C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{0F0CAB0C-E664-6033-7D1A-140000000000}0x141a7d3HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -exec bypass -EncodedCommand dwBoAG8AYQBtAGkA 10341000x800000000000000099105Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.509{0F0CAB0C-E51D-6033-1400-00000000AD01}13046556C:\Windows\System32\svchost.exe{0F0CAB0C-2B8D-6034-550E-00000000AD01}5692C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099104Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.499{0F0CAB0C-E51D-6033-1000-00000000AD01}11366532C:\Windows\system32\svchost.exe{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099103Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.499{0F0CAB0C-E51D-6033-1000-00000000AD01}11361600C:\Windows\system32\svchost.exe{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099102Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.469{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F203995E18D0C709D37ED47D12AE78C0,SHA256=FA63271A74F6FED5C6D56BF6EB2DEB4E819C083B203D59DAFE9D5A8719EFDEA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099101Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.457{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099100Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.457{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x800000000000000099099Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-CreatePipe2021-02-22 22:09:17.437{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872\PSHost.132585053573406940.4872.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000099098Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.426{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\3\__PSScriptPolicyTest_wt125qkn.og4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099097Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.425{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\3\__PSScriptPolicyTest_j0ukqayr.ptm.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000099096Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.411{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\3\__PSScriptPolicyTest_j0ukqayr.ptm.ps12021-02-22 22:09:17.411 10341000x800000000000000099095Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.398{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099094Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.362{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099093Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.362{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099092Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.357{0F0CAB0C-E51D-6033-1000-00000000AD01}11366532C:\Windows\system32\svchost.exe{0F0CAB0C-2B8D-6034-540E-00000000AD01}2992C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099091Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.357{0F0CAB0C-E51D-6033-1000-00000000AD01}11361600C:\Windows\system32\svchost.exe{0F0CAB0C-2B8D-6034-540E-00000000AD01}2992C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099090Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.353{0F0CAB0C-2B8D-6034-540E-00000000AD01}29924264C:\Windows\system32\conhost.exe{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099089Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.345{0F0CAB0C-E5F8-6033-EF00-00000000AD01}50124936C:\Windows\system32\csrss.exe{0F0CAB0C-2B8D-6034-540E-00000000AD01}2992C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099088Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.343{0F0CAB0C-E51D-6033-1400-00000000AD01}13046556C:\Windows\System32\svchost.exe{0F0CAB0C-2B8D-6034-540E-00000000AD01}2992C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099087Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.341{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099086Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.341{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099085Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.341{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099084Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.340{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099083Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.340{0F0CAB0C-E5F8-6033-EF00-00000000AD01}50127704C:\Windows\system32\csrss.exe{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099082Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.340{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}51963760C:\Users\Administrator\Desktop\artifact.exe{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f7f6|C:\Windows\System32\KERNEL32.DLL+1bcc3|UNKNOWN(000000000094F8A9) 154100x800000000000000099081Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.340{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell -nop -exec bypass -EncodedCommand dwBoAG8AYQBtAGkAC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{0F0CAB0C-E664-6033-7D1A-140000000000}0x141a7d3HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exe"C:\Users\Administrator\Desktop\artifact.exe" 10341000x800000000000000099080Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.340{0F0CAB0C-E51D-6033-1400-00000000AD01}13046556C:\Windows\System32\svchost.exe{0F0CAB0C-2B8D-6034-530E-00000000AD01}4872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x800000000000000099079Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-ConnectPipe2021-02-22 22:09:17.339{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196\msagent_cfC:\Users\Administrator\Desktop\artifact.exe 23542300x800000000000000099125Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:18.480{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECB974735AEEB69C0A2937B3DE6E2C4,SHA256=E47B97F9968C9ED74425F6DCE7CEBA9875F8FCA6BA7AF3DF83A32E3CEB0AC0FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099124Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:18.420{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B7750619D9C931AD457A1B5A15FB6706,SHA256=C01CE4F0C2F18DB3E039610556D1233756379E4E3CB066C5E2C1DC83168071C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099123Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.022{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60661-false10.0.1.12-8000- 354300x800000000000000099122Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.194{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local60660-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 22542200x800000000000000099121Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:16.349{0F0CAB0C-2B8C-6034-520E-00000000AD01}3912win-dc-11010.0.1.14;C:\Windows\System32\rundll32.exe 10341000x800000000000000099120Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:18.362{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099119Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:18.362{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099131Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:19.928{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61E1913209A072C241D2D6457F90566A,SHA256=6AB017EBCBF4DC18F050091AC101F5B9F0FA486110F2682011A4F21BD6356833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099130Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:19.927{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A852D2D4FE418BE6D3994A98205A239,SHA256=46A219D08C53F04BEE3FF6CCC1213FE58C521F6BC2D1A3594C8EF3B8B7ECFBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099129Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:19.499{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2D9FFDA8823D83B721DA0F18BF47A6,SHA256=0A6922B4B8726E3C35531DE36BFC7FA97D57878A40C4DB05ED5581A4509F1B57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099128Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:17.532{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local60662-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x800000000000000099127Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:19.363{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099126Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:19.363{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099137Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:20.507{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C033ADC1CD63EE6EBA5F3F81784C43F2,SHA256=6DBF969A836213CC27CCD91892881F192EBF8CEF2F323410ADB13C24FA488181,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099136Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:20.429{0F0CAB0C-E51B-6033-0B00-00000000AD01}8561020C:\Windows\system32\lsass.exe{0F0CAB0C-E519-6033-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000099135Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:18.893{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local60663-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 354300x800000000000000099134Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:18.893{0F0CAB0C-E52D-6033-3100-00000000AD01}2316C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local60663-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 10341000x800000000000000099133Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:20.364{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099132Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:20.364{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099147Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:20.410{0F0CAB0C-E519-6033-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local60666-truefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local445microsoft-ds 354300x800000000000000099146Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:20.410{0F0CAB0C-E519-6033-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local60666-truefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local445microsoft-ds 23542300x800000000000000099145Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:21.516{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051C9D5DF145E0C5C1259A4CD3EEBCB5,SHA256=9F29127C75D3E044F1292325BB49DEFC3F54BCFC3C153B1D93872967A8AA1516,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099144Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:20.319{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-11.attackrange.local60665-false10.0.1.14win-dc-11.attackrange.local389ldap 354300x800000000000000099143Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:20.319{0F0CAB0C-E51D-6033-1000-00000000AD01}1136C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60665-false10.0.1.14win-dc-11.attackrange.local389ldap 354300x800000000000000099142Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:20.312{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local60664-truefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local389ldap 354300x800000000000000099141Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:20.312{0F0CAB0C-E51D-6033-1000-00000000AD01}1136C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local60664-truefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local389ldap 10341000x800000000000000099140Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:21.365{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099139Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:21.365{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099138Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:21.339{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61E1913209A072C241D2D6457F90566A,SHA256=6AB017EBCBF4DC18F050091AC101F5B9F0FA486110F2682011A4F21BD6356833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099150Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:22.522{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93ECDD929EDB10E474DD9354B8EB083,SHA256=461B7764BBE9D3B5070EEFAA3EA998C5312BE843CBE65D909F0FF81DC7B1D3CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099149Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:22.365{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099148Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:22.365{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099154Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:23.535{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B1A0159DBCBA93FBA4F04785D94F19,SHA256=F4DA575DE57A6E24DEBB867A414AC84691021A875919F05A78B57B55C7A92C5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099153Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:22.150{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60667-false10.0.1.12-8000- 10341000x800000000000000099152Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:23.366{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099151Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:23.366{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099157Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:24.558{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBC7AEDA46B6A9266CDD87517804D83,SHA256=7BC143AA9C43E1E664A996C7B3EDA381310A5D93B05A991C78585B3BFD30E0D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099156Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:24.367{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099155Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:24.367{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099160Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:25.568{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F980115012B174D15183C1F504BCFCC1,SHA256=1ADE184D6E6A462842EC90DE7A900342FD918BFF10268C8296D87D1CBF0BF019,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099159Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:25.368{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099158Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:25.368{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x800000000000000099166Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:26.735{0F0CAB0C-E52D-6033-2800-00000000AD01}2664C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\20FED10E-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_20FED10E-0000-0000-0000-100000000000.XML 13241300x800000000000000099165Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:26.730{0F0CAB0C-E52D-6033-2800-00000000AD01}2664C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\57B2235B-B0F9-489E-9262-ACDBEF37D2E5\Config SourceDWORD (0x00000001) 13241300x800000000000000099164Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:09:26.730{0F0CAB0C-E52D-6033-2800-00000000AD01}2664C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\57B2235B-B0F9-489E-9262-ACDBEF37D2E5\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_57B2235B-B0F9-489E-9262-ACDBEF37D2E5.XML 23542300x800000000000000099163Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:26.577{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB5568091A5DA6301ABD8A409658D3B,SHA256=F1B6D3530427DD37ADCFB17DCCF1B1CD420E0B78052062346D76ECEA75F4A15C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099162Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:26.369{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099161Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:26.369{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099175Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:26.717{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local60669-truefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local389ldap 354300x800000000000000099174Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:26.717{0F0CAB0C-E52D-6033-2800-00000000AD01}2664C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local60669-truefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local389ldap 354300x800000000000000099173Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:26.700{0F0CAB0C-E51D-6033-0D00-00000000AD01}984C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local60668-truefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local135epmap 354300x800000000000000099172Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:26.700{0F0CAB0C-E52D-6033-2800-00000000AD01}2664C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local60668-truefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local135epmap 23542300x800000000000000099171Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:27.745{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=251731F7D1C23F2343021BBED94DA198,SHA256=939FFE4C9A6B0FE01752C5775246DF2895F7C29836E475FCBDF78B01FFF404D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099170Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:27.744{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4344320AD573920041FD436E79535E03,SHA256=7F3CAC19D813419C61AE2FCCFF03DD1419372767FB944D5F18D1EE6528B71C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099169Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:27.580{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4B217D176FD84BE968E9528DDFC2E7,SHA256=D8373116D16AD10D0ED8827C71FB315115F68C0F012F004DD134FD0A24D6316B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099168Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:27.370{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099167Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:27.370{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099180Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:28.589{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E506B72EF135FC17B81BFC237768D8A4,SHA256=3396A29513AFD310968C0850B52CED5C308407A5B4C47E0E3923B9263E352F95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099179Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:26.723{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local60670-truefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local389ldap 354300x800000000000000099178Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:26.723{0F0CAB0C-E52D-6033-2800-00000000AD01}2664C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local60670-truefe80:0:0:0:30db:6294:e004:6d0win-dc-11.attackrange.local389ldap 10341000x800000000000000099177Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:28.371{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099176Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:28.371{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099184Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:29.595{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99132D91E89BDAE40982EAB5DE4DA3A3,SHA256=81E9B215FE35FF6BA114277C9FD2BA24245698AE3DAC097A276DA74A545D8483,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099183Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:28.031{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60671-false10.0.1.12-8000- 10341000x800000000000000099182Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:29.372{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099181Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:29.372{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099187Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:30.598{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC53C77478C88274671E156284A8034B,SHA256=AAD87BA23DF5242E116FA49E499BBF550D19BC7630014E85C96F35DE6679DBC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099186Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:30.373{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099185Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:30.373{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099190Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:31.621{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8A1885485427EC0BB892A3AC9EB7BF,SHA256=CDD9E0DA5CF23D5B566C543A1E967F575EF5FAD15C4B20B905A50B71A56779FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099189Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:31.374{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099188Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:31.374{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099194Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:32.631{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286B94B7CC43F6FADE7B671B4CC0C9CE,SHA256=CBCDE137E6B2092AACB60B02D63B5EA1DF6D3F22A82E193ABFF91867D6D8FEE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099193Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:32.375{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099192Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:32.375{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099191Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:32.138{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=251731F7D1C23F2343021BBED94DA198,SHA256=939FFE4C9A6B0FE01752C5775246DF2895F7C29836E475FCBDF78B01FFF404D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099197Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:33.639{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59137A019913B54CD39B1AFFEF931257,SHA256=A25C82FF01581EB93D145BB34EDFA8DDF73121EBC687F3A98881735CFCB1FDAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099196Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:33.376{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099195Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:33.376{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099201Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:34.646{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FED32F9067116FB5704BD5F96915FD8,SHA256=A8ADC9999173BBAD581AD65F6E6788FD6E91D32FE72B30299CFA914BAFBC244A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099200Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:33.163{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60672-false10.0.1.12-8000- 10341000x800000000000000099199Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:34.377{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099198Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:34.377{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099204Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:35.653{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D19EC682B531E8719DD99D2C56905A,SHA256=0601FD90B6AA0065DF17F2E1B2862221688865F1F670C150D13E0FFA35EE215C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099203Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:35.378{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099202Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:35.378{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099207Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:36.659{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=751C103C5339A7C918968BCE2E12FB0C,SHA256=31DF751F93407E6E08FDEEE3B7E480AB602D1E3C00C601404E62AB15A10F8B17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099206Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:36.379{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099205Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:36.379{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099210Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:37.668{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40316F77B260E4C8496F2D8642FD09B,SHA256=CBEF38CEF8511ADDB5EA66E1B3BD7D9F2F56B1F964C7A6B3285B6BD56A5B4894,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099209Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:37.380{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099208Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:37.380{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099213Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:38.681{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577D42BD761C5314F2F291D948D1451E,SHA256=CFDB3B31C2B6D4C7D0ECC61858A50D6969634B83EA9DAA7FDEA806B87F1E2717,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099212Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:38.381{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099211Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:38.381{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099216Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:39.686{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF520AFA4FE2F47D7525CDC32DD5D28D,SHA256=C2A7577C8D0F2A45C2ADF6FEC3DAACCB715AA2B4A81AA780E21688A39ABC60CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099215Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:39.382{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099214Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:39.382{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099220Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:40.692{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79374D2C63E165CFE4F14C1E2ECA102B,SHA256=51B15190D71EC278209965A63ED904E3AB39339B24E5B8D0B354FEDB0A1F66F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099219Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:39.037{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60673-false10.0.1.12-8000- 10341000x800000000000000099218Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:40.383{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099217Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:40.383{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099223Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:41.698{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA36E07278DAE1C3CCB14AAD20BD5050,SHA256=0993F74658B2F596B8EAAB63E900657EDCBF15342A7EBC1600572F1C0582AF5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099222Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:41.384{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099221Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:41.384{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099226Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:42.718{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFCF8ED1B098F77F218CEBEEBDA243C,SHA256=65D36E065692C7D4CDBB90BB3E4A9054BD4CC4422B9F206E9DFDC22C21689053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099225Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:42.385{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099224Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:42.385{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099229Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:43.723{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F422B78E2163205466A969CF2AD3429,SHA256=5DFA04FD42F50A2C342A73D35058518AA0DAC2ED2A55CCAE04ECA3E855A36FDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099228Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:43.386{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099227Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:43.386{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099232Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:44.730{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6923E3FF0105E48362905E90425EE0A6,SHA256=C6176C8577D0FE5FB0BA1ABB18555573C47AD8D32CEE8551E3CB7221F618EFDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099231Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:44.387{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099230Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:44.387{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099236Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:45.746{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B252791142CCDA566CCC21BBFD4B1A0A,SHA256=A1B380C549D746DFA645C9167441CD7E7A4E80DF5885EFF38A6651BDCED460C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099235Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:44.156{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60674-false10.0.1.12-8000- 10341000x800000000000000099234Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:45.388{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099233Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:45.388{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099239Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:46.750{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CABC8EC89E4D722E3FD600CBD9466C,SHA256=D92B45D35F16198B6D2269988D6FF681DBD5C364B8869533CA03CD08D57AB066,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099238Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:46.389{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099237Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:46.389{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099250Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:47.990{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BAB-6034-560E-00000000AD01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099249Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:47.988{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099248Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:47.988{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099247Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:47.987{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099246Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:47.987{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099245Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:47.987{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2BAB-6034-560E-00000000AD01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099244Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:47.987{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BAB-6034-560E-00000000AD01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099243Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:47.985{0F0CAB0C-2BAB-6034-560E-00000000AD01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099242Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:47.763{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0587EE2FE1195DB8D33619AE0A44A8C,SHA256=84538F1D79D306ADBCC953774E065517F4944B856A4FA2F93E774D4AB53FAF0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099241Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:47.390{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099240Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:47.390{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099261Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:48.773{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1067E69A4C1AC38EED2D9EAB074496AD,SHA256=A792FBCF77AE53CE9089ED8A54F09C252B22191ED7F63A1061978CAA09DB7D16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099260Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:48.670{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BAC-6034-570E-00000000AD01}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099259Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:48.668{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099258Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:48.668{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099257Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:48.668{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099256Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:48.667{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099255Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:48.667{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2BAC-6034-570E-00000000AD01}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099254Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:48.667{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BAC-6034-570E-00000000AD01}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099253Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:48.666{0F0CAB0C-2BAC-6034-570E-00000000AD01}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099252Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:48.391{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099251Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:48.391{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099274Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.786{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D850113E33FC28B59FB3398AAB06AEB,SHA256=B4B1F0900BAA5976933023459934944C2BBBE4663DCDE04FED1B052F5931C8A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099273Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.578{0F0CAB0C-E51D-6033-1100-00000000AD01}1196NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BA432FE5089BF718644DFF2151C6039F,SHA256=C9CBC103667DC2F775ADCCFC2F89B44E93ACE06E7DAD1AF513540726FB119D34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099272Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.489{0F0CAB0C-2BAD-6034-580E-00000000AD01}60048092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099271Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.392{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099270Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.392{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099269Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.336{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BAD-6034-580E-00000000AD01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099268Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.334{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099267Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.334{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099266Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.334{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099265Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.333{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099264Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.333{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2BAD-6034-580E-00000000AD01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099263Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.333{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BAD-6034-580E-00000000AD01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099262Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:49.332{0F0CAB0C-2BAD-6034-580E-00000000AD01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099277Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:50.796{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E68BADD8502EBA2C0024F36768DD0E1,SHA256=60D0F8FDE99D78C125CC40EA47B3AA4B49DC4F277A8C078BB15D81E7655DD893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099276Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:50.393{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099275Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:50.393{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099298Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.972{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BAF-6034-5A0E-00000000AD01}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099297Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.970{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099296Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.970{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099295Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.969{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099294Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.969{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099293Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.969{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2BAF-6034-5A0E-00000000AD01}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099292Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.969{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BAF-6034-5A0E-00000000AD01}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099291Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.968{0F0CAB0C-2BAF-6034-5A0E-00000000AD01}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099290Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.810{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0235093255D0B1AD00164CDF5C68E926,SHA256=DEA20637B93AFEEE326BB511C8AC1378A4DFDDE6F15142380B20A428F9D8062A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099289Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:50.035{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60675-false10.0.1.12-8000- 10341000x800000000000000099288Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.454{0F0CAB0C-2BAF-6034-590E-00000000AD01}49205712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099287Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.394{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099286Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.394{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099285Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.304{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BAF-6034-590E-00000000AD01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099284Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.302{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099283Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.302{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099282Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.301{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099281Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.301{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099280Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.301{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2BAF-6034-590E-00000000AD01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099279Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.301{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BAF-6034-590E-00000000AD01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099278Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:51.300{0F0CAB0C-2BAF-6034-590E-00000000AD01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099310Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:52.821{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545CE518925AEA903A06136C7DE675C8,SHA256=520AF970E4520898259702F958E2580C732B72C81A50C1369B364A373CA0E237,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099309Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:52.640{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BB0-6034-5B0E-00000000AD01}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099308Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:52.638{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099307Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:52.638{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099306Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:52.638{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099305Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:52.637{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099304Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:52.637{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2BB0-6034-5B0E-00000000AD01}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099303Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:52.637{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BB0-6034-5B0E-00000000AD01}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099302Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:52.636{0F0CAB0C-2BB0-6034-5B0E-00000000AD01}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099301Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:52.395{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099300Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:52.395{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099299Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:52.121{0F0CAB0C-2BAF-6034-5A0E-00000000AD01}66005024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099322Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:53.836{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EFF044556058609DDECC6A0DBC76EC,SHA256=FBF16FAA750033D9386F3A62A4167F375702A45F85C6742C0275D90FC11DC940,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099321Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:53.396{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099320Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:53.396{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099319Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:53.301{0F0CAB0C-2BB1-6034-5C0E-00000000AD01}52405412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099318Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:53.143{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BB1-6034-5C0E-00000000AD01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099317Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:53.142{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099316Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:53.142{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099315Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:53.141{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099314Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:53.141{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099313Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:53.141{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2BB1-6034-5C0E-00000000AD01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099312Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:53.141{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BB1-6034-5C0E-00000000AD01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099311Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:53.140{0F0CAB0C-2BB1-6034-5C0E-00000000AD01}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099325Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:54.844{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFA4F5ECF41E8737688EA57C6D57EBF,SHA256=06D108350637712D51E12737E3B906F27467EBA0EED615EB0CF23AAA37A211C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099324Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:54.397{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099323Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:54.397{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099328Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:55.848{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D702B624A6C2C6B18A46ED7E1A2DBE6C,SHA256=8ACA70303767D1317F2385B1B4660DC6B47B0BE0169D458F5DA83EC8012BB450,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099327Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:55.398{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099326Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:55.398{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099332Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:56.861{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07ADC8E1512D0DCC3303613E272CF8ED,SHA256=2C53C4885E6A0A5A3BEFE13B651F6CED4BC2218943AE7E68226FB618933EAB4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099331Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:55.160{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60676-false10.0.1.12-8000- 10341000x800000000000000099330Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:56.399{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099329Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:56.399{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099335Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:57.870{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175C7D9738B942E10B97069C6A9FAF1D,SHA256=BBF4E7DD6B91F0A9CCFDE18ABCB10FD5A12482334503EC0CA6E698C96AD82B0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099334Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:57.400{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099333Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:57.400{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099338Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:58.881{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D335FAFA786F6641F1EA03DBF357F7A,SHA256=2D7A34FF904A60D206077B470652A68351CC789F5E0A15CC3AE188968832B60F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099337Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:58.401{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099336Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:58.401{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099341Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:59.888{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721A2D948D1E0119F4A196D09FF4936B,SHA256=EC1CABD7F3C3184E72AC557FBE95AAD93B6D5A2E44825B2CA80DFC23F3644ACE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099340Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:59.402{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099339Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:09:59.402{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099344Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:00.894{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D5CEE5987DCE7CC9BE3270A7682295,SHA256=525B6BC28688E72552B1CF5BBC93510C1C106E4177E491699BBD0E64B7CA4F06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099343Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:00.403{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099342Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:00.403{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099347Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:01.907{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C3D06EC08F660C98C78C86DCC66BA8,SHA256=635D3962D56B5BAB7DC9E7D367387CBF3AA7747CACF29E466DD0F955F736AE86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099346Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:01.404{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099345Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:01.404{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099351Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:02.921{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BB5B3CCF085F5836D9195E86C246F7,SHA256=BCE522D4ECEAA84A6CC712C8561ED706F2319754D290DC6721AA43A9B2105C25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099350Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:01.039{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60677-false10.0.1.12-8000- 10341000x800000000000000099349Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:02.405{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099348Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:02.405{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099354Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:03.932{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EB97ACB5F7080B0DF13D2BE3594D87,SHA256=56DC82006EECCADEF9F4EE6355F40DF7AA528C73F2D264475923EE33ED205B97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099353Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:03.406{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099352Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:03.406{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099357Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:04.938{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100C2331C8F9DEAAB5B70D6C0AC1C049,SHA256=0F91E148ECEC926CA57CAE8FAD527EB8993883EEA468A987B585A800FF3213C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099356Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:04.407{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099355Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:04.407{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099360Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:05.954{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4D6C87DEEB025B07F5640C9F091641,SHA256=9E0837EA90DF419EA2161070164416034CD96D143C0EE1436FF98DC402BA8309,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099359Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:05.408{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099358Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:05.408{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099363Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:06.967{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF68EDE450E5ABEF65062923913F532,SHA256=4EE42EFDD5AC23F48FF5C094316EF991A0E42BDC0C2A41208B8110DB5C590EAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099362Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:06.409{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099361Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:06.409{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099367Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:07.980{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B59D429F40CDC5A8947990AAA3C5955,SHA256=D0CAE3F63456C4E14BCDDFE8A336347C0A6C552EB82C682878C0A62FB487D9C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099366Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:06.166{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60678-false10.0.1.12-8000- 10341000x800000000000000099365Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:07.410{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099364Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:07.410{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099370Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:08.985{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF1C368469EDC232AE1E56A854A5915,SHA256=7DC530CA47F9BAC79F0823C538CBB806200C8D16347B1ABF464C1C6D821469D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099369Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:08.411{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099368Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:08.411{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099374Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:09.999{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67307C67BF9941F927E13ED47F461F7,SHA256=126EC6BBDEDA56FD40AA9A9094D94AC315989D478EAC2B25058421F46D5CC5DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099373Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:09.411{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099372Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:09.411{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099371Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:09.008{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=455D9CA4E02913586B39C34BFD825885,SHA256=A9539C1CACDBE4792ABC4DE09B397C051E9241F918AC25A511FB6605464F4AA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099377Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:08.972{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60679-false10.0.1.12-8089- 10341000x800000000000000099376Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:10.412{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099375Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:10.412{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099380Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:11.412{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099379Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:11.412{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099378Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:11.007{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8263CDB5762300B787369A04BAEFDE88,SHA256=2FA5E1F07AAB7571FE2AEEC8E32FDF377FE6762663097EEC7D22E46F08EC50C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099383Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:12.413{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099382Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:12.413{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099381Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:12.015{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A26B50891824EAE2939BE03D8BEC01,SHA256=11C4F6524DCDF193D83CB5BF264357E1EF00DA36E8682632CDD63942D1F89FA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099387Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:12.043{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60680-false10.0.1.12-8000- 10341000x800000000000000099386Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:13.414{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099385Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:13.414{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099384Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:13.020{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063FFDEBCC244F67337CB5EF45E8804F,SHA256=A4C2F5F8075E6E7673928E5E6007068D9FDED1DA5F7CF1B36538EF1E80780B79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099390Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:14.415{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099389Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:14.415{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099388Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:14.032{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A1F834B2B98B752B9B4484B98A0B0D,SHA256=AD41DA69288F2A11B10A8B34907BDCEF5547F3E7716ECD126399FAFF38973CCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099393Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:15.416{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099392Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:15.416{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099391Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:15.058{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F4EB3B07EC58CCE9213B1792DA0BBD,SHA256=DA97BAD7A98CA095B3D63EE8994A2F27420915EE654645F50C4DF76ADBCC27FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099396Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:16.417{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099395Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:16.417{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099394Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:16.065{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AABB21BA6D3B20E56C83EF5D8FD789A5,SHA256=52F4D75E6EEA68B70E93A05AD04CF4437F52CF73B91BCFC1FA814039EAC228B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099399Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:17.418{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099398Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:17.418{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099397Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:17.078{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A2B56DE4317C1A04960DB9543F4A35F,SHA256=3175AA4A6C7193F48F7019FACCFCA9B698B745DE840CB10CE1C42A23319C0EBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099404Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:17.542{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local60682-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x800000000000000099403Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:17.165{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60681-false10.0.1.12-8000- 10341000x800000000000000099402Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:18.419{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099401Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:18.419{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099400Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:18.088{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E520FBB2E1625A0AAEB59ECA764C23,SHA256=859751B6AC6C1A3D37143928B869FADBA7E3109E392B1D80296422AD5907A345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099418Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.942{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EA9B8355BACCC02B853C3C1E20626EB,SHA256=1F38288BFF28EB76ADD57C811AADD5660A73D0A154E2AC97D5B35C41955DDB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099417Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.941{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9836EAE99187E477A911A9A4CA31157A,SHA256=743841DB336465B363EB248005C17EA65C797FFDF206CC67ABB68BC16CE19B7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099416Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:17.562{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local60683-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x800000000000000099415Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.420{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099414Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.420{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099413Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.376{0F0CAB0C-E666-6033-1101-00000000AD01}24686440C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099412Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.376{0F0CAB0C-E666-6033-1101-00000000AD01}24686440C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099411Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.376{0F0CAB0C-E666-6033-1101-00000000AD01}24686440C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099410Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.375{0F0CAB0C-E666-6033-1101-00000000AD01}24687476C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099409Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.375{0F0CAB0C-E666-6033-1101-00000000AD01}24687476C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099408Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.375{0F0CAB0C-E666-6033-1101-00000000AD01}24687476C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099407Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.374{0F0CAB0C-E666-6033-1101-00000000AD01}24687476C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099406Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.360{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio17047093367388641530.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099405Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:19.096{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298281292C53042FAD1475965635472E,SHA256=46F7D1FBAD1790BF9E85274675265A083AB90B6E521158AB1D58E88ED89382E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099423Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:18.907{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local60684-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 354300x800000000000000099422Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:18.907{0F0CAB0C-E52D-6033-3100-00000000AD01}2316C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local60684-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 10341000x800000000000000099421Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:20.421{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099420Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:20.421{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099419Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:20.104{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964058EDE361109B7F9C9B6681D4DD15,SHA256=48C1ACAD642FDB5BC926DEA807AED713BF817A241470DD65F3B77AFBE65C77C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099430Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:21.422{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099429Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:21.422{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099428Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:21.327{0F0CAB0C-E51D-6033-0D00-00000000AD01}9846852C:\Windows\system32\svchost.exe{0F0CAB0C-E51D-6033-1000-00000000AD01}1136C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099427Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:21.295{0F0CAB0C-E666-6033-1101-00000000AD01}24686440C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099426Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:21.294{0F0CAB0C-E666-6033-1101-00000000AD01}24686440C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099425Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:21.294{0F0CAB0C-E666-6033-1101-00000000AD01}24686440C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099424Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:21.116{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4620C11E141B03615F75BBCAFBE2387B,SHA256=90DDB50B57A12B0319FC50EB8D389EF0A0E52EB6D3A2B56570212EC250BC8C2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099433Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:22.423{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099432Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:22.423{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099431Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:22.131{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528574893691C75B7E2CB4DAE6A87325,SHA256=E5207CA17809B5FE4726DC361D5F495CAD6C6F6938E602ABE8C0891B1E51D5BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099436Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:23.424{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099435Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:23.424{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099434Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:23.139{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F32FD3E83D028666FAE4E1314D25FD,SHA256=02449C18B7985119AF216B292DFB5BC8280DC64401CC20D53AE54AEBD4B0E3F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099440Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:23.043{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60685-false10.0.1.12-8000- 10341000x800000000000000099439Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:24.424{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099438Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:24.424{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099437Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:24.153{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5FCE083841EED4C13765D18E95EDA9F,SHA256=6153D1A275CF25158DF5BC0072F16840E9F4E1F84B3A6AA7E534CB2C50BE3BF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099443Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:25.425{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099442Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:25.425{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099441Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:25.165{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5992F9F6F6E949275A808229A3DD0FF8,SHA256=97E3A6239AF2FAFDD515C242BDA70CC5DDE55DE874821A92A5560B140AFE2908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099446Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:26.426{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099445Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:26.426{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099444Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:26.173{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B5B2DEF7FE1D1477EE19EE7FEED0AB,SHA256=D22AC334FE2AF30F388A16F09D9970A498AC8E7CBCD0137E6D526A7DAA0927C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099449Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:27.427{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099448Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:27.427{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099447Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:27.181{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945A5D1376FBB84B622C0221979BE8FB,SHA256=CB3B02DE792201C1753D34F33F4B71250EA105E287E606492A08A7E81C30C961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099452Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:28.428{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099451Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:28.428{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099450Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:28.192{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22DBDE44BB13AE8476ABE5D0E01A552,SHA256=0BFA110654DB2BFC92F041614C7C75105497226759C78B3C18F6075615D05870,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099456Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:28.166{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60686-false10.0.1.12-8000- 10341000x800000000000000099455Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:29.428{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099454Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:29.428{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099453Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:29.197{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1717A21FB323FA7AA225E31BEA07C8,SHA256=868FDCBF60AFC31A873098DDE46FF9F3D1F0591B68A41B78CC892948951F9A64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099459Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:30.429{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099458Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:30.429{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099457Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:30.209{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EDAE26D72E5CF85796A59B1461DC32,SHA256=E7F6121B45C809A49A4A037E3CB44997111529BFC2D43E6792F523EF678A057C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099462Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:31.430{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099461Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:31.430{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099460Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:31.215{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDEB0934D5FB2EB17D4F0590523DBE8,SHA256=FAFD84E73BF4546590C101CB330AFBE36F57E4D22189E9596AE1642D66ECF5FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099465Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:32.431{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099464Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:32.431{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099463Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:32.221{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7081F8AA68BF44F0EB2DA1C97839D6,SHA256=B8A361E20EE819ABAAB995C9510BE818C1B405F5AE627E4D5AB1FB2B85010408,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099468Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:33.432{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099467Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:33.432{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099466Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:33.228{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C136F3C05531A610CC4C0B7D7F22CC6,SHA256=0D7A52693400E1124F3B15A3464F907BD4BA5A6B7D561081348F7AF0C220CA0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099471Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:34.433{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099470Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:34.433{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099469Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:34.242{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27525175B348BAB696DC825C4CBAE94F,SHA256=567CFD5F15D028BB5D7BF8879CD87758E1257967E655EEC58980E5BD2C172B0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099475Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:34.034{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60687-false10.0.1.12-8000- 10341000x800000000000000099474Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:35.434{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099473Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:35.434{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099472Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:35.252{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75C47E905E2DBFED2394B731FEC15E6,SHA256=E36521A4680C7C3356D95C6D57133C3E42C1B0F9C657B601549F37F7CAA5A004,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099478Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:36.434{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099477Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:36.434{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099476Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:36.262{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F314AF86D7BB2A486AD340077C5267,SHA256=48BDBF78633715ADB24670D651A08E31A3F9550436F9F239B5ACC3BFF98D75D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099481Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:37.435{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099480Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:37.435{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099479Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:37.267{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D3B11312421140C15286E2F6DA0E5A,SHA256=F8AC03604E057FF83E93638DAEBFD219DB6F622F093A60A64880FBC420995040,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099484Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:38.436{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099483Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:38.436{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099482Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:38.282{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6839A97595DA774762515B4C0AEED8,SHA256=4111BDFEA599F60DAB337536AFBA5DF98315E0EF0DB9D80295E09AAEB424BF81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099487Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:39.437{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099486Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:39.437{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099485Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:39.289{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BEA6080AE34D048213D370B2CA8AC7,SHA256=89AAE42C2776E45405936F568CC279B3DEDD76ABE44CA51222E93D85AFA50EB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099491Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:39.152{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60688-false10.0.1.12-8000- 10341000x800000000000000099490Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:40.438{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099489Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:40.438{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099488Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:40.294{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EAAEDE5144F3DC99B49906BA2874E7,SHA256=E8C3A207DD2732D17CF1D7B84924D11D0134EA3951EFB7F991757DFF10F8493F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099494Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:41.439{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099493Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:41.439{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099492Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:41.303{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2961669CCC4C026ED93F9FD3DE3ACC,SHA256=6B4D9898EE6CE60F590BC6787B0AFE5C5F8BB69D06011CB490A7E69E29CBF884,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099497Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:42.440{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099496Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:42.440{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099495Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:42.309{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEDAB36ED88CF97D33E39B35F032FBB,SHA256=0575F37ED3003BCD67DE00291594D111C28B718B4D5CAC5F2E54D049AFBCA9A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099500Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:43.441{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099499Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:43.441{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099498Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:43.317{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A543964235121995F7E94F6E330DAEDC,SHA256=AFD9EBF019904D9AB3BAE2E732908D9FB68C0B6B24D53BACAA8FB982674A6261,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099503Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:44.442{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099502Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:44.442{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099501Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:44.321{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24B4B624AD9668F28434B0CB09AE17E,SHA256=63D12EBD5B53ADB7F9DEA7E0EFCDB74EAE0294E579C0BBBD9C81CC83D8644AE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099506Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:45.443{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099505Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:45.443{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099504Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:45.326{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6936E1512BB6C9F8232182546881846B,SHA256=8BE4DC572EE7E6CC241A0851636885941606D9F8BA811C25FCF89788C971A442,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099510Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:45.030{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60689-false10.0.1.12-8000- 10341000x800000000000000099509Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:46.444{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099508Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:46.444{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099507Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:46.340{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B516E03593BE8D78CBA38ACFE9D9965,SHA256=BA3836DA47E8F3BFB26B33B0CA159235226271EE6A1000B2E1CD420DD0BCF541,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099521Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:47.991{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BE7-6034-5D0E-00000000AD01}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099520Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:47.989{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099519Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:47.989{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099518Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:47.989{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099517Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:47.989{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099516Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:47.988{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2BE7-6034-5D0E-00000000AD01}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099515Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:47.988{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BE7-6034-5D0E-00000000AD01}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099514Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:47.986{0F0CAB0C-2BE7-6034-5D0E-00000000AD01}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099513Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:47.444{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099512Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:47.444{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099511Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:47.345{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB39A5CEED78D60D8624E94220195FF1,SHA256=4045B9F09D35937AC3F35CACFCD129F9D9851D31B679A5EA4A15CC0CA86C8409,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099533Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:48.837{0F0CAB0C-2BE8-6034-5E0E-00000000AD01}48402176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099532Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:48.673{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BE8-6034-5E0E-00000000AD01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099531Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:48.671{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099530Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:48.671{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099529Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:48.671{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099528Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:48.670{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099527Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:48.670{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2BE8-6034-5E0E-00000000AD01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099526Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:48.670{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BE8-6034-5E0E-00000000AD01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099525Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:48.669{0F0CAB0C-2BE8-6034-5E0E-00000000AD01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099524Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:48.445{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099523Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:48.445{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099522Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:48.360{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA3D05ECE3CC4E7CAFFE2A20D63DB73,SHA256=69643837C049650B2173418DF4B0F4C193F8D62205D903063C946204A0888A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099545Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:49.581{0F0CAB0C-E51D-6033-1100-00000000AD01}1196NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3C817CD1501232118FE35DC23909424A,SHA256=BDA83EFA7244A6C812E2DA6DA8548C44ED2BE6C89410810ED6B765371D0D617E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099544Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:49.446{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099543Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:49.446{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099542Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:49.379{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CB6D6452DCF99B819E98D9C4CC6ECB,SHA256=869FA539B871C761CBE6652685BF2EDCC32B5E3E2BDA17A02C27104E97C122FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099541Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:49.340{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BE9-6034-5F0E-00000000AD01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099540Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:49.338{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099539Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:49.338{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099538Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:49.337{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099537Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:49.337{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099536Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:49.337{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2BE9-6034-5F0E-00000000AD01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099535Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:49.337{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BE9-6034-5F0E-00000000AD01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099534Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:49.336{0F0CAB0C-2BE9-6034-5F0E-00000000AD01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099548Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:50.446{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099547Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:50.446{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099546Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:50.389{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BD8A74F555881C2DF370B420F9F4EC,SHA256=4BB15B3B87C8890DA060700421047EAB7EEDAB9F57C74B1E9020E1510B09BF4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099569Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:50.156{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60690-false10.0.1.12-8000- 10341000x800000000000000099568Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.852{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BEB-6034-610E-00000000AD01}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099567Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.850{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099566Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.850{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099565Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.850{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099564Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.850{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099563Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.850{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2BEB-6034-610E-00000000AD01}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099562Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.849{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BEB-6034-610E-00000000AD01}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099561Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.848{0F0CAB0C-2BEB-6034-610E-00000000AD01}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099560Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.457{0F0CAB0C-2BEB-6034-600E-00000000AD01}10766788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099559Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.447{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099558Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.447{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099557Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.396{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB2B272EF2E8B4C7C33B152DBE10DD5,SHA256=86C0A024CC97463E1BD6078F7937D96A822189654C72F95A4B19EE872EA21C46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099556Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.299{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BEB-6034-600E-00000000AD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099555Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.297{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099554Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.297{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099553Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.296{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099552Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.296{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099551Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.296{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2BEB-6034-600E-00000000AD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099550Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.296{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BEB-6034-600E-00000000AD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099549Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:51.295{0F0CAB0C-2BEB-6034-600E-00000000AD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099582Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.683{0F0CAB0C-2BEC-6034-620E-00000000AD01}31642824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099581Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.519{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BEC-6034-620E-00000000AD01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099580Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.518{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099579Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.518{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099578Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.517{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099577Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.517{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099576Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.517{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2BEC-6034-620E-00000000AD01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099575Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.517{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BEC-6034-620E-00000000AD01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099574Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.516{0F0CAB0C-2BEC-6034-620E-00000000AD01}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099573Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.447{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099572Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.447{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099571Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.404{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5D7A233DBA3D7655E834888B41A0BF,SHA256=830C17FF74A14CA08E9062F1A6B02D636E4B27F997EF71BAEBCFCB5859FAF6D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099570Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:52.008{0F0CAB0C-2BEB-6034-610E-00000000AD01}11007100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099593Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:53.448{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099592Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:53.448{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099591Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:53.416{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9AAC19101800DE45E863D60BE45C31,SHA256=D2B511366AD1570D09FFF24B772AB463A8BEC36949452995612E025FE944465F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099590Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:53.186{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2BED-6034-630E-00000000AD01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099589Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:53.184{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099588Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:53.184{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099587Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:53.183{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099586Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:53.183{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099585Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:53.183{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2BED-6034-630E-00000000AD01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099584Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:53.183{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2BED-6034-630E-00000000AD01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099583Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:53.182{0F0CAB0C-2BED-6034-630E-00000000AD01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099596Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:54.449{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099595Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:54.449{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099594Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:54.419{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD03917E27698AA81ED381A73DB4D2D0,SHA256=4E7F618523C7CC4988BCC066A747F955AE1A210B14CA86F12453038FD697C858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099599Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:55.450{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099598Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:55.450{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099597Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:55.429{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C5612A45EBBD592BFDD806E03BFEC3,SHA256=81FEE535210FDD4018C0C67B49A4356DF3051E158E7EFA6872283CAC80AE612E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099602Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:56.451{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099601Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:56.451{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099600Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:56.434{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77678612AA80AE6C9411193B056050B9,SHA256=9A94717EF816D26481343D69D043A5805E431DB8C6A2D151B2603FD38E6B536E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099606Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:56.033{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60691-false10.0.1.12-8000- 10341000x800000000000000099605Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:57.452{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099604Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:57.452{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099603Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:57.442{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD475D86699F7986186182B16E40171B,SHA256=A2341125F79616875C33A330822E410BF8D7AEC0769CC15B3C952CC619F570EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099609Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:58.453{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099608Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:58.453{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099607Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:58.448{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072A0CBD9C776D093687A7AE871EF9DC,SHA256=E3CF31BC653641D73DBE91EA064B933195275968C6C92B74FC27EDF2B6A5F636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099612Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:59.467{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7EAD282687196AADA36D87A0D84FC2,SHA256=BC5B069850781A1A21EAD5709E8DCED8FD41145BAA26D14FE39BAB2218805A80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099611Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:59.454{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099610Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:10:59.454{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099615Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:00.478{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F482C9B65404F004C20B8807C8F5BA42,SHA256=1785F2FA105A071314CEBD585EB0506D56954EFF5EBFB72764787C21BF9DB0CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099614Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:00.455{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099613Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:00.455{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099618Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:01.485{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28A3D642F5049263AA96971B2D55858,SHA256=636674BBF8CC2E144369023EF0C80639AD37D5F32F427EDE88CB3E5DB7D1F966,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099617Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:01.456{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099616Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:01.456{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099622Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:01.154{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60692-false10.0.1.12-8000- 23542300x800000000000000099621Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:02.490{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9C3E8893A51463F313814FC3F6603D,SHA256=DAE82D7F8D6521D96566B9F2F7EFDDB16590AE3E02373AFC8F8DE7CD966E7497,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099620Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:02.457{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099619Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:02.457{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099625Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:03.499{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5A1D27252A24DB7C02E96AC7630C76,SHA256=60C5FEE9E3F13C26260C530A2C6635286DE757D2AEBB9EB28DE7F922F4BCB11E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099624Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:03.458{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099623Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:03.458{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099628Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:04.508{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC099801453314FA21B063C07367BD9B,SHA256=303151BB193BF3E37F76DC33A873DD05F42BFE25C310CFCA34D126A9E6F1D65A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099627Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:04.459{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099626Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:04.459{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099631Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:05.513{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24DEBFCB207CD573CA57D05DC4788F6,SHA256=4A97A9A901CEFD7BCFD91D51333307C74F1AFC60137B4AEC6BB4D5501F40B3BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099630Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:05.460{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099629Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:05.460{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099634Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:06.519{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FA616EF4A7240E4E0FA8838504DD5B,SHA256=FAC0F29A45402B3CC81DAD4DEE4B411FD548A677AF6D54A30E5CDE5ACC87577A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099633Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:06.461{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099632Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:06.461{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099637Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:07.523{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F950BAFBA28CB1C07C7D855D067DF2A,SHA256=2A55A36CFA584E2E885B971DAD7FDF27DF1068FA58EFD2A197E7D98627E0319B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099636Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:07.462{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099635Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:07.462{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099641Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:07.033{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60693-false10.0.1.12-8000- 23542300x800000000000000099640Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:08.531{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02E214758113515229362E8CA5976EA,SHA256=2B6D60359A5C13104423D20D12E50748C80E15743F934082B58AE64611A47657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099639Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:08.463{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099638Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:08.463{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099645Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:09.538{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2E7061CF32D689A1F6DB56518A89D6,SHA256=B944D53FC7AF428E04B904BD8294D5CC8E688C3B3A6FCB239D84B4933A3C33D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099644Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:09.464{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099643Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:09.464{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099642Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:09.026{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=455D9CA4E02913586B39C34BFD825885,SHA256=A9539C1CACDBE4792ABC4DE09B397C051E9241F918AC25A511FB6605464F4AA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099649Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:08.989{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60694-false10.0.1.12-8089- 23542300x800000000000000099648Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:10.543{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE784DC80B0EC6BA21CBB6ED23BADFF,SHA256=BA190427699DF11C368262C606A7BCBC667F1889714298CDF90F9CEBAFCE3331,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099647Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:10.464{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099646Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:10.464{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099652Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:11.562{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FA2C29A1C46C056E2CEE224AD0BFCF,SHA256=2E668EECF865FA18AD8BC8AFD9BF15D7218A65B86B9F8E05D8AF7565A912C114,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099651Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:11.465{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099650Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:11.465{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099655Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:12.569{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE234D0900F5AB9E45DDEE20F0EF546D,SHA256=87BD7CC5690ECF829ACBAC3149CE80A412EC7BE0C73B51D3EC920465056B54DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099654Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:12.466{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099653Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:12.466{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099659Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:12.160{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60695-false10.0.1.12-8000- 23542300x800000000000000099658Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:13.587{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E4E6670260E505935EF46E6B72B1F8,SHA256=81BB981EEB0470E87EC24B1A6C62DA14942EDE912232B9C98F35E6C06DE84A9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099657Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:13.467{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099656Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:13.467{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099662Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:14.601{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCAA76686BA12BDC74F06EBC19CED4B3,SHA256=7240E478F05922630851C3EA441EBA5E48FA93F0CEA37A6AF833C8D1A248365A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099661Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:14.468{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099660Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:14.468{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099665Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:15.606{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89CFECFC8BCCC30EC3CC8B4F3E11041,SHA256=90FA5EE692D55EB42AC31023822218D4BC8E6DDD0CB2061801BB97C462F38542,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099664Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:15.469{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099663Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:15.469{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099668Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:16.612{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41588286B6A17F3E47A921B1A3E4552A,SHA256=5E1B466D2DE9C3BAA42A47EA86CFB9919107A7AF8540970B0841DBC4D0EEB021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099667Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:16.469{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099666Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:16.469{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x800000000000000099680Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-CreatePipe2021-02-22 22:11:17.754{0F0CAB0C-2C05-6034-640E-00000000AD01}6524\postex_f3c3C:\Windows\system32\rundll32.exe 10341000x800000000000000099679Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:17.644{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099678Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:17.644{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099677Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:17.644{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099676Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:17.644{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099675Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:17.644{0F0CAB0C-E5F8-6033-EF00-00000000AD01}50127704C:\Windows\system32\csrss.exe{0F0CAB0C-2C05-6034-640E-00000000AD01}6524C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099674Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:17.643{0F0CAB0C-289A-6034-F30D-00000000AD01}14005628C:\Windows\system32\rundll32.exe{0F0CAB0C-2C05-6034-640E-00000000AD01}6524C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f7f6|C:\Windows\System32\KERNEL32.DLL+1bcc3|UNKNOWN(00000221929FF10D) 154100x800000000000000099673Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:17.643{0F0CAB0C-2C05-6034-640E-00000000AD01}6524C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{0F0CAB0C-E664-6033-7D1A-140000000000}0x141a7d3HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{0F0CAB0C-289A-6034-F30D-00000000AD01}1400C:\Windows\System32\rundll32.exeC:\Windows\system32\rundll32.exe 10341000x800000000000000099672Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:17.643{0F0CAB0C-E51D-6033-1400-00000000AD01}13046556C:\Windows\System32\svchost.exe{0F0CAB0C-2C05-6034-640E-00000000AD01}6524C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099671Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:17.628{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FE8C1D6189A1234CF4546436152034,SHA256=0CB373F8460565C5E80437AD6E53D9BA4F4D6B7FE6CC3E1DDDDC21B2DC28222C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099670Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:17.470{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099669Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:17.470{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099696Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:17.575{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local60696-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 17141700x800000000000000099695Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-CreatePipe2021-02-22 22:11:18.870{0F0CAB0C-2C06-6034-650E-00000000AD01}6660\postex_5019C:\Windows\system32\rundll32.exe 734700x800000000000000099694Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.857{0F0CAB0C-2C06-6034-650E-00000000AD01}6660C:\Windows\System32\rundll32.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000099693Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.861{0F0CAB0C-E51D-6033-1500-00000000AD01}13166196C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099692Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.748{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099691Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.748{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099690Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.748{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099689Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.748{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099688Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.748{0F0CAB0C-E5F8-6033-EF00-00000000AD01}50125704C:\Windows\system32\csrss.exe{0F0CAB0C-2C06-6034-650E-00000000AD01}6660C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099687Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.747{0F0CAB0C-289A-6034-F30D-00000000AD01}14005628C:\Windows\system32\rundll32.exe{0F0CAB0C-2C06-6034-650E-00000000AD01}6660C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f7f6|C:\Windows\System32\KERNEL32.DLL+1bcc3|UNKNOWN(00000221929FF10D) 154100x800000000000000099686Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.747{0F0CAB0C-2C06-6034-650E-00000000AD01}6660C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{0F0CAB0C-E664-6033-7D1A-140000000000}0x141a7d3HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{0F0CAB0C-289A-6034-F30D-00000000AD01}1400C:\Windows\System32\rundll32.exeC:\Windows\system32\rundll32.exe 10341000x800000000000000099685Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.747{0F0CAB0C-E51D-6033-1400-00000000AD01}13046556C:\Windows\System32\svchost.exe{0F0CAB0C-2C06-6034-650E-00000000AD01}6660C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099684Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.645{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42399E9CC1F06CD090CF022905DA0A1E,SHA256=920AE4C0EF29F53BAB0CEB04739EDE556D69A0862E633E994C1D6A1D80E4754A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099683Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.471{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099682Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.471{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x800000000000000099681Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-ConnectPipe2021-02-22 22:11:18.246{0F0CAB0C-289A-6034-F30D-00000000AD01}1400\postex_f3c3C:\Windows\system32\rundll32.exe 23542300x800000000000000099705Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:19.943{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=694852296229B3D8AF17A241B6B03621,SHA256=96AA0628207E5ABF4E4FFD6944B79A51CB2E415592ACF6D207C2C4ABAF5F58D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099704Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:19.942{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EA9B8355BACCC02B853C3C1E20626EB,SHA256=1F38288BFF28EB76ADD57C811AADD5660A73D0A154E2AC97D5B35C41955DDB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099703Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:19.662{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E77AA2CC8800A280E3F81218A1775D,SHA256=0C6E01AB540B3A911482B3095AF6237F89580D0E4374B29D7226A0BF705F364D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099702Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:19.471{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099701Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:19.471{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099700Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:19.353{0F0CAB0C-2C06-6034-650E-00000000AD01}66605824C:\Windows\system32\rundll32.exe{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\system32\lsass.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000203D622D798) 10341000x800000000000000099699Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:19.351{0F0CAB0C-E51B-6033-0B00-00000000AD01}8561020C:\Windows\system32\lsass.exe{0F0CAB0C-2C06-6034-650E-00000000AD01}6660C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099698Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:19.351{0F0CAB0C-E51B-6033-0B00-00000000AD01}8561020C:\Windows\system32\lsass.exe{0F0CAB0C-2C06-6034-650E-00000000AD01}6660C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x800000000000000099697Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-ConnectPipe2021-02-22 22:11:19.350{0F0CAB0C-289A-6034-F30D-00000000AD01}1400\postex_5019C:\Windows\system32\rundll32.exe 23542300x800000000000000099710Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:20.678{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1B65182A227B0D4238BA6AE072A596,SHA256=506E2271B9B0F7DFCB171FBA87564BD1189F6D928A5B9C55D601757E64489F41,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000099709Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.546{0F0CAB0C-2C05-6034-640E-00000000AD01}6524null-255.255.255.255123-C:\Windows\System32\rundll32.exe 10341000x800000000000000099708Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:20.472{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099707Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:20.472{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099706Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.040{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60697-false10.0.1.12-8000- 23542300x800000000000000099716Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:21.683{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413D32F9255C6B1F0713EB15405FC17C,SHA256=6AD3864EACA9952EB692F4A37D71B7CB4FF803E177597987E423CF57104DDB4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099715Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:21.473{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099714Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:21.473{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099713Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:19.832{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local60699-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x800000000000000099712Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.908{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local60698-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 354300x800000000000000099711Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:18.908{0F0CAB0C-E52D-6033-3100-00000000AD01}2316C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local60698-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 23542300x800000000000000099719Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:22.687{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003B6C7D64B952BB847BDE35D32F66EC,SHA256=A28CF48535CCE9756A4F1A149FB0F9A8D2027715CC8AB367556DDF83BCFBADD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099718Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:22.474{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099717Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:22.474{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099722Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:23.692{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2541A658D442D58E6B8F5830F9F9BB41,SHA256=4496061236D95D078528ABD90E1BEFF34199416A07B47851FB816436FA35E815,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099721Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:23.475{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099720Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:23.475{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099725Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:24.700{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E37AEF40861FA5201DD2B537F372CC7,SHA256=4342B1803040AE9953C7E35A0D53AEF5285B1A8508590116D21639C28393D528,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099724Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:24.476{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099723Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:24.476{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x800000000000000099730Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-SetValue2021-02-22 22:11:25.775{0F0CAB0C-E51D-6033-1200-00000000AD01}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d70967-0xa95277cb) 23542300x800000000000000099729Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:25.726{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691605108ED57CAC33399666D8D72CD2,SHA256=27E22F48E98A6815D2F92E10E28F52DF5942EC1C331BE8A68A5EDB9373121013,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099728Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:25.477{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099727Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:25.477{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099726Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:23.165{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60700-false10.0.1.12-8000- 23542300x800000000000000099733Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:26.731{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6FB8EB294A5329EEB8AC98D5E7287D,SHA256=1A7D33E201ABB830AF013610FDD8A9796D92D410DAED9C4A13F3A3E9F73568B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099732Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:26.479{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099731Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:26.479{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099736Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:27.742{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D22CC1BB65563A924486396C71D872,SHA256=AB13D55988B9DE630C53B8CCD14C694E0ABFF4E349BFFAAC283F975BFDA5F0D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099735Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:27.480{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099734Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:27.480{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099739Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:28.746{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C58A1E3E6EE21A2D46587B6B58970D2,SHA256=9E60B105BA9C4C0C240EF4B72D97D979EF01EF56D11FC22F45C642AF596C8D38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099738Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:28.481{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099737Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:28.481{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099742Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:29.750{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2894CB488E9FAA28AC827F957D26D6,SHA256=9ABA37D48914C5E715697644F55B23560D99E1ED13BB8EF7C79C144158E4D0C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099741Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:29.482{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099740Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:29.482{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099745Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:30.765{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F61DED7C08FEAE437F030A8E5E5EC1,SHA256=95AA01199E3321227539F72598A175838212E9EA6D58C47EE1D1BC20E14414DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099744Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:30.483{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099743Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:30.483{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099749Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:31.781{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1B415EA4ED377192D8C56F077C37C3,SHA256=9BF352D9CA49423FA43902DCE5EB8B283485F63B2F00652FCFF32EFE058AAFBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099748Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:31.483{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099747Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:31.483{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099746Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:29.047{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60701-false10.0.1.12-8000- 23542300x800000000000000099752Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:32.801{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951318CACFC733C7DF1D97A70E0C6F35,SHA256=E9AC66708FC5EDFF562C49CF4640203FD5B8824490BD23946DF660B11B8F004F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099751Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:32.484{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099750Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:32.484{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099755Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:33.807{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A6E006C26F157484B09DF00C8E73EC,SHA256=916FF45FCFAEB76C37F4DCFA21AA3978A744BC09C8979D8DB0C2002CD1807F8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099754Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:33.484{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099753Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:33.484{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099758Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:34.811{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6D1175301A4F9AA3372910D0F21CD0,SHA256=63B6C1EDB9FC079F55719A174E586078BD7AE1EEC63EBC2AB428A85F4F4E39F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099757Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:34.485{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099756Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:34.485{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099761Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:35.826{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458E462032884688542CF06680D5ED12,SHA256=A0D757B446C1607DD60E127E34BF2C5B1056B787A631CC0D8E444F1E92708AB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099760Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:35.486{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099759Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:35.486{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099765Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:36.839{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBCBCED34ACF0C70400AE35B603CA63,SHA256=A67DE8B9471D5BC89E12F352C1E3CE132199F9DFD25D0A487D84539E55273AD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099764Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:36.487{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099763Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:36.487{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099762Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:34.182{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60702-false10.0.1.12-8000- 23542300x800000000000000099768Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:37.855{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5E60629ECC0DADF988063D4FEA52DD,SHA256=DC1104ED9D5B18D18A1B13014169D005E8CC1BF379C03E821F244858B0C504FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099767Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:37.488{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099766Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:37.488{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099771Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:38.868{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E336F649D07758C536A150415BEDA97B,SHA256=CD478AC45837DAE9F19D961667EA6EC2168D5F52E06E843A38FFF36EE5139C39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099770Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:38.488{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099769Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:38.488{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099774Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:39.879{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C07B993FEE6C61202E9BF588655D89,SHA256=D917407AD94BF028B44A134F80D3F669A390DE11231AC9190E82D458E7243E4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099773Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:39.489{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099772Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:39.489{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099777Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:40.890{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CC2B8D56002750651BA456EC449B09,SHA256=AE2AAF0A8008E4097DA40A8AB8EC170C9A964FD992C9E3BFE0C1A961464ECE15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099776Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:40.489{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099775Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:40.489{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099780Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:41.894{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0CE5BAD79575118450676038C4060D3,SHA256=FC3EC633796F47A7F687529B61B6870F8B0825E6423F061236495313C1885B5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099779Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:41.490{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099778Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:41.490{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099784Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:42.902{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9137A222571D4BD8E2EAE317037B666D,SHA256=B69E45408DAEE9771E64A832E567D2479C2EB66706CA3C80EAB2B7D7EE8667B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099783Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:42.491{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099782Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:42.491{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099781Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:40.063{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60703-false10.0.1.12-8000- 23542300x800000000000000099787Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:43.911{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FF26DDF4F1F83B107E6D05CCCB5842,SHA256=7634E963EEF0E1795C27F1269A2695529541D36F0702C0E457A6E0AE08799C58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099786Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:43.492{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099785Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:43.492{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099790Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:44.917{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A295227E170D4965B0FCD6BA61A4B790,SHA256=D7A23D11AD4D7FFA972BD9B36F4FC558655AB0F15239C361B40B609FD1094567,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099789Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:44.492{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099788Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:44.492{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099793Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:45.924{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4F28A17D1167C41D099A59FE5778F1,SHA256=253FCB281FD4601051B9F81E0722030551839753316A1883E91C2539DE6D614F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099792Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:45.493{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099791Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:45.493{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099796Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:46.931{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D25222B9E2CC34BFAE51B214410620,SHA256=E133EC7CEB5E49EF786C3682E984F37A6476C6159AA1B22CF60C0C07F29C8250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099795Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:46.494{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099794Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:46.494{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099808Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:47.992{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C23-6034-660E-00000000AD01}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099807Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:47.990{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099806Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:47.990{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099805Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:47.989{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099804Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:47.989{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099803Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:47.989{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2C23-6034-660E-00000000AD01}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099802Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:47.989{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C23-6034-660E-00000000AD01}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099801Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:47.987{0F0CAB0C-2C23-6034-660E-00000000AD01}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099800Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:47.937{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E42DF8F297BEBEFB6A898A022FA72FF,SHA256=5E3A55AC5BC5CF48BC47639763AC1B5015D8B7533FDFF22C8D52B13EFAAF0B2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099799Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:47.494{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099798Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:47.494{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099797Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:45.193{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60704-false10.0.1.12-8000- 23542300x800000000000000099820Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:48.955{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654F67FF7C066AB2A8ACCD9539B9BB59,SHA256=56EC203F1D28543AAE05A8D969BD8EBB5E6842A5E8C25C31D8DD43BFCAC8A13A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099819Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:48.658{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C24-6034-670E-00000000AD01}8184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099818Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:48.656{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099817Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:48.656{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099816Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:48.656{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099815Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:48.655{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099814Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:48.655{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2C24-6034-670E-00000000AD01}8184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099813Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:48.655{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C24-6034-670E-00000000AD01}8184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099812Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:48.654{0F0CAB0C-2C24-6034-670E-00000000AD01}8184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099811Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:48.495{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099810Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:48.495{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099809Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:48.152{0F0CAB0C-2C23-6034-660E-00000000AD01}66566432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099832Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:49.969{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527C3BC1B20F294AFA0F966893E96D1E,SHA256=2FC5FCD93CD8A162EB8088479E43ED3A8F467EB9C7C0915FD839E5B36941C5EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099831Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:49.585{0F0CAB0C-E51D-6033-1100-00000000AD01}1196NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3E07E71B91C9D77996CAEBB235D9810C,SHA256=CE18E83B63051F48D0FAD97CB7482EB9A69BCE3C4DB4CD22BD9E6A333E2E13F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099830Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:49.496{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099829Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:49.496{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099828Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:49.325{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C25-6034-680E-00000000AD01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099827Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:49.323{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099826Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:49.323{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099825Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:49.322{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099824Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:49.322{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099823Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:49.322{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2C25-6034-680E-00000000AD01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099822Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:49.322{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C25-6034-680E-00000000AD01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099821Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:49.320{0F0CAB0C-2C25-6034-680E-00000000AD01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099835Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:50.976{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EEDDFFD12711CEE055F1B24252179AC,SHA256=2869F1480CAF2FB9C3CF109FB047E8CB544D366388AE393A704353B59C91819F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099834Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:50.497{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099833Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:50.497{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099855Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.986{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A1F55973F84E6CCB066BFD8D5EE336,SHA256=996416FA037F93AC68322CEA226945A637D9D2BB72FC07E1B82D437DA03282D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099854Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.959{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C27-6034-6A0E-00000000AD01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099853Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.957{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099852Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.957{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099851Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.956{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099850Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.956{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099849Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.956{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2C27-6034-6A0E-00000000AD01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099848Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.956{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C27-6034-6A0E-00000000AD01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099847Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.955{0F0CAB0C-2C27-6034-6A0E-00000000AD01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099846Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.498{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099845Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.498{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099844Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.451{0F0CAB0C-2C27-6034-690E-00000000AD01}29926940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099843Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.292{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C27-6034-690E-00000000AD01}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099842Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.290{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099841Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.290{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099840Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.289{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099839Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.289{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099838Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.289{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2C27-6034-690E-00000000AD01}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099837Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.289{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C27-6034-690E-00000000AD01}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099836Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.288{0F0CAB0C-2C27-6034-690E-00000000AD01}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099867Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:52.628{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C28-6034-6B0E-00000000AD01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099866Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:52.626{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099865Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:52.626{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099864Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:52.626{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099863Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:52.625{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099862Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:52.625{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2C28-6034-6B0E-00000000AD01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099861Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:52.625{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C28-6034-6B0E-00000000AD01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099860Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:52.624{0F0CAB0C-2C28-6034-6B0E-00000000AD01}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099859Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:52.499{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099858Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:52.499{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099857Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:51.075{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60705-false10.0.1.12-8000- 10341000x800000000000000099856Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:52.117{0F0CAB0C-2C27-6034-6A0E-00000000AD01}41202764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099879Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:53.500{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099878Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:53.500{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099877Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:53.330{0F0CAB0C-2C29-6034-6C0E-00000000AD01}41486268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099876Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:53.163{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C29-6034-6C0E-00000000AD01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099875Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:53.161{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099874Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:53.161{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099873Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:53.161{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099872Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:53.161{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099871Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:53.161{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2C29-6034-6C0E-00000000AD01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099870Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:53.160{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C29-6034-6C0E-00000000AD01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000099869Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:53.159{0F0CAB0C-2C29-6034-6C0E-00000000AD01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099868Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:53.000{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9B9613F4F97F26C9A3C5FF0808AB19,SHA256=1B193116EFB4D10C7F2CB2DF36CA735B85D89024877F9CAFA9C84452060B4CA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099882Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:54.501{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099881Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:54.501{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099880Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:54.018{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5D351900C15AE9CD3637AEAB668CA5,SHA256=ABD3990BFC468F93C2C5F90608DFC749B4F0A19421400E702914671D338CA2FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099885Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:55.502{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099884Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:55.502{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099883Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:55.030{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A064274921B1AE9F7F5ABC03F57B4B5,SHA256=DBA94DEBFBCD753E6B4C068674ADA17DFE934F56B2725EC6A58B8FF652A81ED3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099888Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:56.503{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099887Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:56.503{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099886Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:56.034{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495DDDE379150679E2B2F87C8C949028,SHA256=E4F9C5D5403F76A53347B6825A2121A5A86E666910C59DC902180C98FF9359F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099891Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:57.504{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099890Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:57.504{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099889Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:57.042{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D189452B6D9CD2DE99135ECD488FD519,SHA256=8D2C0EF76E5136209338C68FD5481BD651373A53CEF9D77EBE0B6D08521F67EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099895Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:58.505{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099894Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:58.505{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099893Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:56.195{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60706-false10.0.1.12-8000- 23542300x800000000000000099892Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:58.046{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2932D8AF0940C292B95FF0A55BDA6E95,SHA256=0E455E9DD5888B26AED7A1043E180229A7469001ED93BE58C634DCBEC6F51CDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099898Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:59.506{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099897Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:59.506{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099896Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:11:59.067{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B069641CCB1A08B7FC20EB7967A2DADC,SHA256=4003BA287056E6FCF88349C63E0E665C1A2CCF9B446DCBD3C6810184FE6A1D58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099901Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:00.507{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099900Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:00.507{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099899Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:00.076{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A859F3CA252C8163F85136E64559B707,SHA256=3AAE1370A938F8F16C19508C8312BF483E7CC849CDB53C10BB87ED110450E35C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099904Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:01.508{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099903Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:01.508{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099902Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:01.086{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461102E569CD611382CE4C235DD234A4,SHA256=EA6045BDD6732EDC48EB59B9BC3A409212EFF133CC2AEB78CBAD0671F057B52D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099907Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:02.509{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099906Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:02.509{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099905Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:02.093{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3317D0259A0D992A4D18C897D92C45E,SHA256=8961BB1BB1D9A0A2305AC153DF9F946FC303812A61AE5B324E6EE287324F0899,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099911Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:03.510{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099910Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:03.510{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099909Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:02.076{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60707-false10.0.1.12-8000- 23542300x800000000000000099908Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:03.099{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C61F45858941A74EABB9F4028FA21F,SHA256=052D2F39D83E6EA382C26198A86485C381CA82DDAFF338223B9E0C19AD3B7057,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099914Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:04.511{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099913Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:04.511{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099912Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:04.105{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF1949211D0E5706E95DCB2A9F94FBB,SHA256=646B7EB84A891B6CFB6B503C857D3230880BE07A85C620400F8AAF2B70217BF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099917Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:05.512{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099916Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:05.512{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099915Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:05.108{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8138F397B04702CFF10DEC4E8D0EE5,SHA256=1B3B057A2243F42305BD4ABA4E54281F26E17197BEB465B2B2C1D872120F8D3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099920Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:06.512{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099919Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:06.512{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099918Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:06.114{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BE75A3B51839AEF7D91B8B520031AD,SHA256=09E646C6FCF87E083FDA06E527931924541909E38DC666E58398530106D92A57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099923Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:07.513{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099922Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:07.513{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099921Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:07.122{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1DD3E0587E1020F45768F401C3ABA0,SHA256=CB9EEEE57A7FC29F30D5CEEB90D5E3C3E44B4542319CB6D49493E898C2ED9D3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099926Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:08.514{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099925Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:08.514{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099924Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:08.128{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618A6123D2224B5333B954B2EC74C050,SHA256=4238E044264083254B73159A560BF4C97F802E7B6BBC44A3B4DCC872700F503B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099931Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:09.515{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099930Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:09.515{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099929Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:07.201{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60708-false10.0.1.12-8000- 23542300x800000000000000099928Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:09.135{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB0EC239A4CB3D3AE5016E70C167011,SHA256=D9F3D2F8BA66D622CE1A6A1EDF922CC709C3A4FDB3D99B0B36732D0F658BC9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099927Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:09.046{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=455D9CA4E02913586B39C34BFD825885,SHA256=A9539C1CACDBE4792ABC4DE09B397C051E9241F918AC25A511FB6605464F4AA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099935Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:10.516{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099934Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:10.516{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099933Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:09.007{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60709-false10.0.1.12-8089- 23542300x800000000000000099932Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:10.151{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F4C941AF72EFE99B727F58DB5B7EA2,SHA256=0B260F6D506AD3FBECF68A53C4784D8B05ECF5A23F60AA57D3BBB41ED35EDF3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099938Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:11.517{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099937Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:11.517{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099936Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:11.155{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F9BBC161890C9E2F6CA15746600C83,SHA256=E9951846AAAE5AB1EACEDDE2571FD72AE09C836C8A7A3B182EA0418FB9528C9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099941Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:12.518{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099940Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:12.518{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099939Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:12.159{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFB3C02DDB3F548517B8FB920EC08CD,SHA256=233D7CF18646FBDFDC52F5E3F3991DC85C4B3BCBC52ECF8EFB93A06A0EDCFC24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099944Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:13.519{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099943Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:13.519{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099942Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:13.172{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297D2FA823C8684A48EAADFEA95856E1,SHA256=D766890B731B72380A33A333C8881442B2A7CCFF9071216E5E415271FC1BC2DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099948Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:14.520{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099947Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:14.520{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099946Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:13.081{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60710-false10.0.1.12-8000- 23542300x800000000000000099945Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:14.176{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A8F38E3FE64B3EE9DFB0A9004CBCBC,SHA256=64536BEE15944275E32BD54ACC99949110E36BA419A933C4555D6EAFEB221A33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099951Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:15.521{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099950Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:15.521{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099949Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:15.187{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90873C9B5DF796FC276E465082153DD3,SHA256=DDEA981CB758169F4F97908B053A6370EF2CD39AB16C57F2679C168204C85423,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099954Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:16.522{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099953Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:16.522{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099952Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:16.196{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4564B205FF212E05680634DF8BB41C0B,SHA256=E3146C6A23BB8D4D4934768C4EF63B0143563B1B3737074AFC4F9E96B4C798A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099957Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:17.523{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099956Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:17.523{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099955Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:17.201{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDFF0465F68EE5E3C500FEFBC6D4C67,SHA256=F8F4F50A8A731BCA28EA061E7C78E09BF90A44D232A08FD3A4069709103733D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099960Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:18.523{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099959Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:18.523{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099958Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:18.205{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0303742B6C9F0E8DC2A8E7176E0178F5,SHA256=A5B5408CF79AA135CF7C41A9D410A42B44CBA3EF890F66DB7630180FCCF0B657,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000099975Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-CreatePipe2021-02-22 22:12:19.997{0F0CAB0C-2C43-6034-6D0E-00000000AD01}920\postex_5d7cC:\Windows\system32\rundll32.exe 23542300x800000000000000099974Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.945{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8B6E5D37A10AE8B7ECE0CAF653E090D,SHA256=95134443F0ED8B52486BC0558BB3CEAC3CDD92604C216D034539619A320F39FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099973Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.944{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=694852296229B3D8AF17A241B6B03621,SHA256=96AA0628207E5ABF4E4FFD6944B79A51CB2E415592ACF6D207C2C4ABAF5F58D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099972Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.890{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099971Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.890{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099970Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.890{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099969Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.889{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099968Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.889{0F0CAB0C-E5F8-6033-EF00-00000000AD01}50125704C:\Windows\system32\csrss.exe{0F0CAB0C-2C43-6034-6D0E-00000000AD01}920C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000099967Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.889{0F0CAB0C-289A-6034-F30D-00000000AD01}14005628C:\Windows\system32\rundll32.exe{0F0CAB0C-2C43-6034-6D0E-00000000AD01}920C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f7f6|C:\Windows\System32\KERNEL32.DLL+1bcc3|UNKNOWN(00000221929FF10D) 154100x800000000000000099966Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.889{0F0CAB0C-2C43-6034-6D0E-00000000AD01}920C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\rundll32.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{0F0CAB0C-E664-6033-7D1A-140000000000}0x141a7d3HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{0F0CAB0C-289A-6034-F30D-00000000AD01}1400C:\Windows\System32\rundll32.exeC:\Windows\system32\rundll32.exe 10341000x800000000000000099965Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.888{0F0CAB0C-E51D-6033-1400-00000000AD01}13046556C:\Windows\System32\svchost.exe{0F0CAB0C-2C43-6034-6D0E-00000000AD01}920C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099964Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.524{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099963Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.524{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099962Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:18.208{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60711-false10.0.1.12-8000- 23542300x800000000000000099961Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.209{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB720305BC7A401F9791328BB8537EC,SHA256=CFC4B34C6F409D6D6744A2E17C74ABC340FA507F8C55B43EF1B087D84B1AA33A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099985Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:20.525{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099984Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:20.525{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 824800x800000000000000099983Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:20.495{0F0CAB0C-2C43-6034-6D0E-00000000AD01}920C:\Windows\System32\rundll32.exe{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exe81560x000001A6F4EC0000-- 10341000x800000000000000099982Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:20.495{0F0CAB0C-2C43-6034-6D0E-00000000AD01}9201592C:\Windows\system32\rundll32.exe{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000013C27481D3D) 18141800x800000000000000099981Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-ConnectPipe2021-02-22 22:12:20.492{0F0CAB0C-289A-6034-F30D-00000000AD01}1400\postex_5d7cC:\Windows\system32\rundll32.exe 354300x800000000000000099980Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:18.909{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local60713-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 354300x800000000000000099979Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:18.909{0F0CAB0C-E52D-6033-3100-00000000AD01}2316C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local60713-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap 354300x800000000000000099978Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:18.862{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-11.attackrange.local60712-false8.252.251.126-80http 354300x800000000000000099977Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:18.846{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local60739- 23542300x800000000000000099976Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:20.229{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F0630E9A846E490B2A887F43C6A694,SHA256=14A522164AED67B8AA6AB1EC02F7B38F8F8802789F73BE1F686A278A2F545492,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099989Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:21.526{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099988Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:21.526{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099987Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:19.844{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local60714-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x800000000000000099986Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:21.235{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CEAC372125B57D6AFE0A8C6C79DB01,SHA256=704AD6018948730187E54B3BE00A5C1EFAD7D05DB15A064215C047397A75DE08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099997Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:22.527{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099996Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:22.527{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000099995Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:20.971{0F0CAB0C-2B4F-6034-4A0E-00000000AD01}5196C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local60715-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x800000000000000099994Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:20.336{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1win-dc-11.attackrange.local51644-false127.0.0.1win-dc-11.attackrange.local53domain 354300x800000000000000099993Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:20.291{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-11.attackrange.local53domainfalse127.0.0.1win-dc-11.attackrange.local51644- 354300x800000000000000099992Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:20.290{0F0CAB0C-E51D-6033-1500-00000000AD01}1316C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98d0:1648:59c:ffff-51644-true7f00:1:37eb:2348:8bde:488b:7630:488b-53domain 354300x800000000000000099991Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:20.265{0F0CAB0C-E52D-6033-2D00-00000000AD01}2784C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local51644- 23542300x800000000000000099990Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:22.240{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D61E11130AAACDA0BEE9935A04E9AF,SHA256=9EDC7B038B813769F0E8DADF331EC5677BACA414574394B751E41E85F6E706E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100000Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:23.528{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000099999Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:23.528{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000099998Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:23.251{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0207CCF575C14A1994509A7E740B367B,SHA256=1DF26ED41E0F2630568C7F6F9CEC0C31B41931EEFEEE59E6EDB95B3A3265E051,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100003Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:24.529{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100002Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:24.529{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100001Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:24.263{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AE2C9BDD61E6E6276B368C62211DD7,SHA256=73E35ADF44AFDB2079887045060FD28A304E487940A166C505D587FAFDB60DEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100007Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:25.530{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100006Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:25.530{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x8000000000000000100005Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:24.088{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60716-false10.0.1.12-8000- 23542300x8000000000000000100004Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:25.272{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6B76882E6876992B224835F5F5D606,SHA256=44B89E63BD731025121A15457ACDF30AAB14309929D15B0AC8441504041635F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100010Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:26.531{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100009Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:26.531{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100008Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:26.280{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990F5375DA8B3D6114AFDF10BE59ACDE,SHA256=F055507CF2D1E8D258D97E5BF380942E0527FDD1962F0AC4D3AD508047957988,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100013Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:27.532{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100012Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:27.532{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100011Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:27.290{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7929CD2B74FB0CF95F78089708EDAD3B,SHA256=621E80DE8CAE4B33AB803968EF3D197B550AAE5170F680E0CDB3F1E29C1D9AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100018Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:28.732{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27EADEC96F0346B726982BD6934F5B45,SHA256=AFF44FD6EA7B28EA85B7E1CDA0A6DA4A9CF88E354F279F74F48DF88812532DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100017Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:28.731{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8B6E5D37A10AE8B7ECE0CAF653E090D,SHA256=95134443F0ED8B52486BC0558BB3CEAC3CDD92604C216D034539619A320F39FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100016Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:28.533{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100015Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:28.533{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100014Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:28.293{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB3E3305A56EFF21A0738AA3FDD1DA5,SHA256=059ED824551825C3DB60F425D1CA00E267CDED35A534FCB7393AB76C49D3B59B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100021Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:29.533{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100020Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:29.533{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100019Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:29.305{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162FFE7BC2AD6F1EFA69640A8DCFC0E6,SHA256=1E653C2A2E08F2498D894F3381A21393FA9E9ED72BF5EA3EB76F5448A429C94A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100025Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:30.534{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100024Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:30.534{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x8000000000000000100023Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:29.214{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60717-false10.0.1.12-8000- 23542300x8000000000000000100022Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:30.316{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B42ADFE5A6F6222E812563DB9EF4D2E,SHA256=328DA7DF806D6BE1535785184571E91972B1A8BF13AF406E818515262760C3D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100028Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:31.535{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100027Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:31.535{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100026Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:31.328{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB802AE592107EB184BEA0B8BAE4D3B,SHA256=1451EAE0591038FFF1146F98DCAC326CE71ED5D44AF71AD0A30F104D674B50AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100031Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:32.536{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100030Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:32.536{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100029Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:32.333{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9063105046D0A64FF3CD3044DD6091,SHA256=CA707D5FECAC99979EA1B29BD49A195263AC85F5AC99C1E94307B24E978E4CA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100034Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:33.537{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100033Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:33.537{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100032Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:33.342{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0E82C65905EB06E9CC26F0908DE01B,SHA256=8EAC38D8E342892DD68EAC48C2BDF988BE44DBD84B4BFC083775642F7008F8F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100038Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:34.538{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100037Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:34.538{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100036Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:34.394{0F0CAB0C-E51D-6033-0D00-00000000AD01}9846852C:\Windows\system32\svchost.exe{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100035Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:34.345{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C1247BD77DF06191D420A7096E8E15,SHA256=BAE3F6D22B15EDB354B73C2923F316DBC644AE52E85E4772EE3352A19088AB53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100041Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:35.539{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100040Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:35.539{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100039Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:35.352{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0AAD6C0211E12D760FB227CDEAC3F9,SHA256=4F499D190972DA5B68A44300C8C6BE12E44B46E5BB5325A0F51FA4E2068BFBCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100045Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:35.096{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60718-false10.0.1.12-8000- 10341000x8000000000000000100044Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:36.540{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100043Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:36.540{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100042Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:36.358{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95B2D79B981D5DC1210D536A4F70853,SHA256=8DDBEAEC8B0CEB1F5DC4B722E8EF46E5BD3956582D47A83E137947BFBCFF9E3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100048Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:37.541{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100047Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:37.541{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100046Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:37.368{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB61BC247EEBC7C182DC7D239B083C4,SHA256=74DA65A65E44EEDCA40DF4A55D795F8A6429BA981C0823531E07E71DB475773E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100051Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:38.542{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100050Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:38.542{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100049Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:38.375{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D4F099678F341C3EF2D003174AFF45,SHA256=425CBBD4AD6E84482EAA9729DACAC4A68007EAF85F914EF2526C32CBBC428160,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100054Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:39.543{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100053Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:39.543{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100052Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:39.386{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A2485EF9A8C8918517750E8005A305,SHA256=5C1630D33ECECA52B32064E06609E0C0B3FC1139B51F0B525BB90F5295000C1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100057Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:40.544{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100056Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:40.544{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100055Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:40.393{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253F631A5A63A99CBC8BD570F6BA42CE,SHA256=D6CC7A7749B81A0E06F700CCA696D2293C1106A23866BC36C49AFC9FE65B7498,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100060Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:41.545{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100059Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:41.545{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100058Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:41.399{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CDC55FFAAA3BE78833E0FA9281E622,SHA256=EE19E8A1E8B234BB3651BE8A9B3CB055449119F795C3D3ECAC39BEDF02A0D885,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100099Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:40.977{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60719-false10.0.1.12-8000- 23542300x8000000000000000100098Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.575{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4033686D91E98AFE26197C5A19851C,SHA256=E2FE5A6C4A7DACA7C99B53C3D1FE9FACF6710CF0C024180B7A96557569A0D2C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100097Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.546{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100096Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.546{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100095Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.333{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100094Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.333{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100093Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.333{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100092Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.333{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100091Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.333{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100090Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.333{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100089Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.333{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100088Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100087Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100086Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100085Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100084Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100083Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100082Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100081Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100080Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100079Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100078Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100077Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100076Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100075Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100074Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100073Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100072Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.332{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100071Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.331{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100070Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.331{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100069Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.331{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100068Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.331{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100067Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.331{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100066Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.331{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100065Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.331{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100064Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.331{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100063Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.331{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100062Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.331{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100061Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:42.331{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100102Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:43.560{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D115F29B3F00D3499CF24019AE391F,SHA256=E78157D572F69452FB528AE1A2CA494D8D7639009C52A627DF70B685C3B8C734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100101Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:43.547{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100100Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:43.547{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100105Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:44.566{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B370D8A84A2B81D5B4FF813F4A6279D6,SHA256=98EEFC2E6954309150208D921EBF8D7E17C5DD10C7E8436BDEF4EF30163547D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100104Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:44.548{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100103Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:44.548{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100108Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:45.575{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0755683B462230A9E0E4C6AB2B961338,SHA256=01D518D8E426031B520374696AA60E37416DEF23EB6AED3507E89B48D18185CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100107Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:45.549{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100106Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:45.549{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100111Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:46.584{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53A1042845BDFADC1C4405D0A241DCB,SHA256=39B78D065B85D36FB9B787412A4BBA00309BC0F5683D09107356B1632C294574,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100110Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:46.550{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100109Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:46.550{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100123Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:47.996{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C5F-6034-6E0E-00000000AD01}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100122Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:47.994{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100121Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:47.994{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100120Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:47.994{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100119Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:47.994{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100118Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:47.994{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2C5F-6034-6E0E-00000000AD01}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000100117Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:47.993{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C5F-6034-6E0E-00000000AD01}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000100116Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:47.991{0F0CAB0C-2C5F-6034-6E0E-00000000AD01}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000100115Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:46.103{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60720-false10.0.1.12-8000- 23542300x8000000000000000100114Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:47.602{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E695A486089423FC14953A32DC693A,SHA256=B1987836A8B9177A4BC1C35A1DE1C4E0512315CAA4F29465BF1A673D0D135706,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100113Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:47.551{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100112Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:47.551{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100134Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:48.677{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C60-6034-6F0E-00000000AD01}8144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100133Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:48.676{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100132Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:48.676{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100131Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:48.675{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100130Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:48.675{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100129Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:48.675{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2C60-6034-6F0E-00000000AD01}8144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000100128Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:48.675{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C60-6034-6F0E-00000000AD01}8144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000100127Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:48.673{0F0CAB0C-2C60-6034-6F0E-00000000AD01}8144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100126Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:48.609{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D04037D432072190A0B6703A1658207,SHA256=1F7285EEE90DB7049F3EAB340F2B736A28329AA5BC61C1A0CD39DC4EB37F731E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100125Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:48.552{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100124Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:48.552{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100147Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.624{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04ACF35D675BE53CEC05B504157F1DA1,SHA256=6AAC970D8602548A0F7C3E91EC0C06786C653C2AEB80D4AAB9119972250BE91B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100146Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.588{0F0CAB0C-E51D-6033-1100-00000000AD01}1196NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9474E169AFA75A8611E80E39A4E009F0,SHA256=C4094DA638C80AC5DFDBDF7287E809CA4CC482EEFF8651E97C5D75E3E462C130,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100145Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.553{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100144Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.553{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100143Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.501{0F0CAB0C-2C61-6034-700E-00000000AD01}71247420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100142Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.346{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C61-6034-700E-00000000AD01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100141Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.344{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100140Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.344{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100139Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.344{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100138Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.343{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100137Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.343{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2C61-6034-700E-00000000AD01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000100136Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.343{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C61-6034-700E-00000000AD01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000100135Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:49.341{0F0CAB0C-2C61-6034-700E-00000000AD01}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100150Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:50.633{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C98B8EF7697DFC84B2BE0AB4B953E8,SHA256=9ED776902DD85DB45196F569E274EEBB18E928B7C58D1437EAD86E0FF9431C42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100149Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:50.554{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100148Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:50.554{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100171Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.933{0F0CAB0C-2C63-6034-720E-00000000AD01}58207628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100170Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.780{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C63-6034-720E-00000000AD01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100169Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.778{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100168Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.778{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100167Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.778{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100166Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.778{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100165Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.778{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2C63-6034-720E-00000000AD01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000100164Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.777{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C63-6034-720E-00000000AD01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000100163Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.776{0F0CAB0C-2C63-6034-720E-00000000AD01}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100162Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.647{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C7FADE6D38C3A295B928263399F25B,SHA256=C1137F9DD642FEDB88474B945038EEEAE13F44D3950E23B9C16D4F666C7B28EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100161Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.554{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100160Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.554{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100159Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.443{0F0CAB0C-2C63-6034-710E-00000000AD01}27247408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100158Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.291{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C63-6034-710E-00000000AD01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100157Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.289{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100156Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.289{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100155Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.288{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100154Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.288{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100153Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.288{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2C63-6034-710E-00000000AD01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000100152Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.288{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C63-6034-710E-00000000AD01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000100151Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.286{0F0CAB0C-2C63-6034-710E-00000000AD01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100183Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:52.656{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BCE135862616CB77CF9EC549170E73,SHA256=35AA50C7B6C7654F48111CEE7F2C3F03E9C5671D998D0ED18EF219E106FF54F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100182Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:52.608{0F0CAB0C-2C64-6034-730E-00000000AD01}5965220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100181Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:52.555{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100180Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:52.555{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100179Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:52.449{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C64-6034-730E-00000000AD01}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100178Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:52.446{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100177Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:52.446{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100176Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:52.446{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100175Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:52.446{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100174Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:52.446{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2C64-6034-730E-00000000AD01}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000100173Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:52.446{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C64-6034-730E-00000000AD01}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000100172Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:52.444{0F0CAB0C-2C64-6034-730E-00000000AD01}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100195Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:53.675{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473156A0334A79155B7D58351F475415,SHA256=DCC3879586B2EC9AC09DF11CA49CAB102CA506CC14DEE4C6C3B6BF134298E19B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100194Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:51.986{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local60721-false10.0.1.12-8000- 10341000x8000000000000000100193Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:53.555{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100192Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:53.555{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100191Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:53.118{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2C65-6034-740E-00000000AD01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100190Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:53.116{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100189Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:53.116{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100188Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:53.115{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100187Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:53.115{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100186Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:53.115{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2C65-6034-740E-00000000AD01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000100185Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:53.115{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2C65-6034-740E-00000000AD01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000100184Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:53.113{0F0CAB0C-2C65-6034-740E-00000000AD01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100198Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:54.683{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A715E1A349EE07E9264BCEA3A5CCEF,SHA256=BD1272187E2E1A6EB8DA4943909B5C76ED73FB81D4A92B9170A67CDC7709F95C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100197Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:54.556{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100196Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:54.556{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100201Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:55.693{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3545106843C8A90B62C4DCA9AE2867A7,SHA256=50CE5D3C83B8DB51AD30E8ADF3BEF7ACEB88FA2EA451DD05B3D751F794660728,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100200Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:55.557{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100199Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:55.557{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000100204Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:56.705{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAD7EBB85A81C93EEFF18B3882F1637,SHA256=2007B060178E7ABB7DA510B9D64AE782C461ACEED04564E860DB6FA6C24DFEF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100203Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:56.558{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100202Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:56.558{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100206Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:57.559{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000100205Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:12:57.559{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037853Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:29.833{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037852Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:29.833{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000037851Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:25.778{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52599-false10.0.1.12-8000- 23542300x800000000000000037850Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:29.119{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F97756FCE5EEF5E26C0D9B675C51AF4,SHA256=B944D8C7BDF46FC067AAD2A1C9FD636CE523AE4AF3B9B43D26768820D18A2664,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037856Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:30.834{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037855Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:30.834{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037854Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:30.127{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73F521B123FCC4271B65FEC0CAF6959,SHA256=DB83FEA407394418F8F755AD5D8D2461EF596A13E243D10F6EBFA7538E966B1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037859Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:31.835{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037858Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:31.835{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037857Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:31.132{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E233A569CFC70E24DF386A6B9D94A9A2,SHA256=8F38150F4016DF5CB982361D0941C3A287628484279D3782F081C729A64CF064,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037879Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.986{64AF4F22-4B30-6035-650A-00000000AD01}56526364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037878Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.854{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B30-6035-650A-00000000AD01}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037877Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.853{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037876Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.853{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037875Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.853{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037874Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.853{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037873Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.853{64AF4F22-4082-6035-0500-00000000AD01}412528C:\Windows\system32\csrss.exe{64AF4F22-4B30-6035-650A-00000000AD01}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000037872Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.853{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B30-6035-650A-00000000AD01}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000037871Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.852{64AF4F22-4B30-6035-650A-00000000AD01}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037870Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.544{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C93392C2335A3791607272F378AA7483,SHA256=F6239982B62463192A152FEE41E8ABD76BE7D6A67507230CF99699ECE59230D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037869Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.296{64AF4F22-4B30-6035-640A-00000000AD01}3764348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037868Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.174{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B30-6035-640A-00000000AD01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037867Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.172{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037866Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.172{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037865Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.172{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037864Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.172{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037863Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.172{64AF4F22-4082-6035-0500-00000000AD01}412428C:\Windows\system32\csrss.exe{64AF4F22-4B30-6035-640A-00000000AD01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000037862Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.172{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B30-6035-640A-00000000AD01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000037861Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.171{64AF4F22-4B30-6035-640A-00000000AD01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037860Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:32.137{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D17BE4CAA87BCC7A9332F17AC0A0F78,SHA256=4299E1C0073242D756E54D86B35F1E1BA85CED5ABCD065A1D9F1D75C5DE35420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037894Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.859{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8229E8E89B25B0D9B035B4F1377E64,SHA256=A635F0D348F0B4B904CF338F1C111A069951765A96F9E525AB7D3AEB53F52F45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037893Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.644{64AF4F22-4B31-6035-660A-00000000AD01}29165112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037892Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.520{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B31-6035-660A-00000000AD01}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037891Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.519{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037890Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.519{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037889Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.519{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037888Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.519{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037887Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.519{64AF4F22-4082-6035-0500-00000000AD01}412528C:\Windows\system32\csrss.exe{64AF4F22-4B31-6035-660A-00000000AD01}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000037886Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.519{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B31-6035-660A-00000000AD01}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000037885Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.518{64AF4F22-4B31-6035-660A-00000000AD01}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000037884Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.389{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037883Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.389{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000037882Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:30.205{64AF4F22-4083-6035-0B00-00000000AD01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-177.attackrange.local52600-true0:0:0:0:0:0:0:1win-dc-177.attackrange.local389ldap 354300x800000000000000037881Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:30.205{64AF4F22-4095-6035-2700-00000000AD01}2896C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-177.attackrange.local52600-true0:0:0:0:0:0:0:1win-dc-177.attackrange.local389ldap 23542300x800000000000000037880Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:33.146{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F371CC353DAE1602156BDB0D661F2558,SHA256=C2956038593B40381BB2693BADEC40AF3CC2C8F7807F15E77E3BC9A280A4DE27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037906Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.390{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037905Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.390{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037904Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.196{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B32-6035-670A-00000000AD01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037903Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.195{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037902Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.194{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037901Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.194{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037900Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.194{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037899Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.194{64AF4F22-4082-6035-0500-00000000AD01}412480C:\Windows\system32\csrss.exe{64AF4F22-4B32-6035-670A-00000000AD01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000037898Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.194{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B32-6035-670A-00000000AD01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000037897Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.194{64AF4F22-4B32-6035-670A-00000000AD01}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000037896Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:30.915{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52601-false10.0.1.12-8000- 23542300x800000000000000037895Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.151{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32D2B0641B4A9E010277E2EC7FE1B58,SHA256=C2CC90E73B355030192B82000F6DF728732E32B55BAB6B70631DB64623B39BAF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000037913Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-SetValue2021-02-23 18:36:35.694{64AF4F22-4095-6035-2800-00000000AD01}2904C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\20FED10E-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_20FED10E-0000-0000-0000-100000000000.XML 13241300x800000000000000037912Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-SetValue2021-02-23 18:36:35.692{64AF4F22-4095-6035-2800-00000000AD01}2904C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\72C35B0F-7387-4BE2-95CF-3AF8FAF844E9\Config SourceDWORD (0x00000001) 13241300x800000000000000037911Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-SetValue2021-02-23 18:36:35.692{64AF4F22-4095-6035-2800-00000000AD01}2904C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\72C35B0F-7387-4BE2-95CF-3AF8FAF844E9\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_72C35B0F-7387-4BE2-95CF-3AF8FAF844E9.XML 10341000x800000000000000037910Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:35.391{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037909Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:35.391{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037908Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:35.197{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09E9A66B32481E9BCC86EB2F6FE9A0E8,SHA256=D62EDDFA9F5AD3197D037A0C0CC952AA82FE1D00337DB60E92A81BFC5491A9B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037907Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:35.157{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC53055BBDD30A5376005F16C2C11B2,SHA256=A18C981054251E6E95F5A7A6A4F6C1ACCCD1B09102943A656B112011E636AB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037917Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:36.798{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=298BE65AC27EEAA91A2CF5591996F47D,SHA256=BA73E19445FFFB7EDC983B8144FDCA0FB442AFFA20F7C4023B8034C4458A4392,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037916Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:36.391{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037915Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:36.391{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037914Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:36.163{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9931E10DCD3F6D7F8221AE374198F27,SHA256=C4825C2BFEB17FB8ACC5D3AF5B97A0D5FCEFE24C3A6BAF5BD0B444B14B76B2E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037926Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:37.392{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037925Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:37.392{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000037924Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.369{64AF4F22-4083-6035-0B00-00000000AD01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local52604-truefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local389ldap 354300x800000000000000037923Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.369{64AF4F22-4095-6035-2800-00000000AD01}2904C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local52604-truefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local389ldap 354300x800000000000000037922Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.364{64AF4F22-4083-6035-0B00-00000000AD01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local52603-truefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local389ldap 354300x800000000000000037921Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.364{64AF4F22-4095-6035-2800-00000000AD01}2904C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local52603-truefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local389ldap 354300x800000000000000037920Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.353{64AF4F22-4084-6035-0D00-00000000AD01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local52602-truefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local135epmap 354300x800000000000000037919Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:34.353{64AF4F22-4095-6035-2800-00000000AD01}2904C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local52602-truefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local135epmap 23542300x800000000000000037918Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:37.167{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A191DE6890BC04FAB9106674B66E4B5,SHA256=AEB448EEA0643C86A55906D5FD8EAFB9F5C92560A35E7C4D2D3AD82D5DF6342A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037929Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:38.392{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037928Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:38.392{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037927Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:38.209{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247FD2E1D7F7AE66794D4156E0A02ECF,SHA256=1918FE1248FCEA735585A0940646C89FE61A580DEAAC6DCF9A29ECDE28A3A1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037934Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:39.757{64AF4F22-4104-6035-CF01-00000000AD01}856NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=383FF891B54042AF48D937003E34CF57,SHA256=987B086468067B1523CD4B7B9BD1DACA3B756BBC54E50911C45E1BF247EAF284,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037933Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:39.393{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037932Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:39.393{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037931Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:39.214{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB793E1BCD06C9DD61D036DA736AA9E3,SHA256=2C81F9EE29F21C92EC765C7A5541D8026C1D1E13D5E67B1713DE73FB5C6B2A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037930Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:39.209{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28FE0A41B27751BF45C59BA04256BDD8,SHA256=D3F3DA5AA2BD2AB16DEC489260CA79F32001A4826DD3209A4D8550FBD14299A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037938Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:40.776{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4F35229634DBB77D3A92D8127E89965,SHA256=79A8D886D605836E776B69F6B30C261339D337AA31C5B0DBA71034CD1D69CDE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037937Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:40.393{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037936Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:40.393{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037935Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:40.217{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B6432E51EBAAE82D2EF5FE30996CE3,SHA256=027D1B59B23CA9A153E264BE738E8BB38F47CDB371B64619548BE59853AD655B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037943Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:41.394{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037942Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:41.394{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037941Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:41.222{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB777155837802C10604ED5D23218A9F,SHA256=9C5571CEECC11E69DAAF97B98011FA9B41456D0DA19044780C0CE4F8B834147F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037940Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:38.412{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52606-false10.0.1.12-8089- 354300x800000000000000037939Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:36.806{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52605-false10.0.1.12-8000- 10341000x800000000000000037946Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:42.395{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037945Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:42.395{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037944Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:42.229{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C870509D5D13BDC938496BB04C2AD7,SHA256=7BD469C8C68832F7C61EC17B23087A08640AEB40F3984CEF2E0C848730AED9D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037949Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:43.395{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037948Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:43.395{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037947Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:43.236{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB706ABFABE1936C57CDF8668695993,SHA256=C74E31DAC39AFCA8B00A37B80215337D68F016431048715F54F1ECE9966B4085,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037952Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:44.396{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037951Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:44.396{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037950Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:44.245{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A72473F15DADFAB212999E0C5EED478,SHA256=C9DDA93340D2EC088CBF7F9802C4E838FFE6D48627617A583C06BE90AABC95E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037956Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:45.397{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037955Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:45.397{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037954Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:45.249{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E706425B50B1802A7203FFBFEB0E85,SHA256=FF700F151EB900692ECB32AAE0124DB7CFFCC777315D493D772E3820A66F9C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037953Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:45.064{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5668FCF25FDBA109C76A6EE727309821,SHA256=8884E7421D1E4F1842687D9EC717E1AD84B892A73EAD269F09BB36071749B560,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037972Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.398{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037971Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.398{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037970Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.260{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94FE5B2718947B65526FD2A1E776AAA,SHA256=9BFC32EE7C363C1BC913DD7E0CB6968E5E95D103E2D7484F5C6496D5FEDDE8BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037969Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:42.705{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52607-false10.0.1.12-8000- 17141700x800000000000000037968Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-CreatePipe2021-02-23 18:36:46.097{64AF4F22-4B3E-6035-680A-00000000AD01}7080\MSSE-6738-serverC:\Users\Administrator\Desktop\beacon_jquery.exe 10341000x800000000000000037967Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.088{64AF4F22-4085-6035-1300-00000000AD01}8604076C:\Windows\System32\svchost.exe{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x800000000000000037966Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.localInvDBSetValue2021-02-23 18:36:46.088{64AF4F22-4085-6035-1300-00000000AD01}860C:\Windows\System32\svchost.exeHKU\S-1-5-21-1454569349-463604006-1831497518-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Desktop\beacon_jquery.exeBinary Data 10341000x800000000000000037965Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.087{64AF4F22-4085-6035-1300-00000000AD01}8601160C:\Windows\System32\svchost.exe{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037964Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.087{64AF4F22-4085-6035-1300-00000000AD01}8601160C:\Windows\System32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037963Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.086{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037962Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.086{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037961Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.086{64AF4F22-4255-6035-3402-00000000AD01}3722196C:\Windows\system32\csrss.exe{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000037960Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.086{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037959Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.085{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037958Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.085{64AF4F22-4258-6035-4802-00000000AD01}49566304C:\Windows\Explorer.EXE{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8e7a1|C:\Windows\System32\SHELL32.dll+8d606|C:\Windows\System32\SHELL32.dll+ce551|C:\Windows\System32\SHELL32.dll+b475e|C:\Windows\System32\SHELL32.dll+18cf0c|C:\Windows\System32\SHELL32.dll+18cc63|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000037957Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:46.082{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exe-----"C:\Users\Administrator\Desktop\beacon_jquery.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{64AF4F22-4256-6035-0C29-150000000000}0x15290c2HighMD5=2BC9B52E106C5D459FD56222DBA8A90A,SHA256=457EF706222EBBEC4FCAFA610A4062F8B6659BE959599BCD92C31943FB3C20CD,IMPHASH=17B461A082950FC6332228572138B80C{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x800000000000000037980Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:47.398{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037979Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:47.398{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037978Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:47.296{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84CC365C742D7CF4D05790191A263FF,SHA256=B7E9309E4A8BB3E8AD9292C67E07E1B3670BD4F360A4E8239861E4AC19BB1F46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037977Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:47.219{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4085-6035-1600-00000000AD01}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037976Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:47.129{64AF4F22-4083-6035-0B00-00000000AD01}628756C:\Windows\system32\lsass.exe{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037975Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:47.128{64AF4F22-4083-6035-0B00-00000000AD01}628756C:\Windows\system32\lsass.exe{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x800000000000000037974Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-ConnectPipe2021-02-23 18:36:47.121{64AF4F22-4B3E-6035-680A-00000000AD01}7080\MSSE-6738-serverC:\Users\Administrator\Desktop\beacon_jquery.exe 23542300x800000000000000037973Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:47.092{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18FA14B47E9ED985CC4377AADB8B288E,SHA256=240A86958F0C93C119C69FBD7328C812B83B7688CF6E4E533B48D46BDF5B452B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037986Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:48.524{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB6C87B102C8981B994AC25343928DC,SHA256=359AAAF6400960184542650F7F5B3150E9516B999EF62EFD0F7B35BA0A6FDCF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037985Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:48.398{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037984Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:48.398{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037983Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:48.309{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=638D1362C92BE2D8E30C1343B61CC90D,SHA256=3DE993CAD7858865EBFB3332DB8D9ED0DD80BD4592FE32DD7F21F4C95CF7AFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037982Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:48.146{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio7282955687787449757.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037981Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:48.114{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio1654806093710132474.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038001Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:45.907{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-177.attackrange.local52608-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x800000000000000038000Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.973{64AF4F22-4095-6035-2D00-00000000AD01}30642308C:\Windows\sysmon64.exe{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037999Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.973{64AF4F22-4095-6035-2D00-00000000AD01}30642308C:\Windows\sysmon64.exe{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037998Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.698{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037997Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.698{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037996Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.697{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037995Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.696{64AF4F22-4258-6035-4802-00000000AD01}49565184C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037994Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.696{64AF4F22-4258-6035-4802-00000000AD01}49565184C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037993Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.696{64AF4F22-4258-6035-4802-00000000AD01}49565184C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037992Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.696{64AF4F22-4258-6035-4802-00000000AD01}49565184C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000037991Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.529{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10491A20545C25F6D1680689DE85AED8,SHA256=62B71E6F6ED03E0E74A9BBFA478D6CCF830374CDC5442153B49EAA068BCE455C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037990Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.399{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000037989Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.399{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x800000000000000037988Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:45.819{64AF4F22-4B3E-6035-680A-00000000AD01}7080win-dc-177010.0.1.14;C:\Users\Administrator\Desktop\beacon_jquery.exe 10341000x800000000000000037987Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:49.147{64AF4F22-4095-6035-2D00-00000000AD01}30641364C:\Windows\sysmon64.exe{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038005Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:50.537{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB51C8AAE82BB4D7DD2FEBEE3C743C7,SHA256=7582B554358770700BF6D8AD9272FD6B31128D0BA2CFAFA3B00DCDE260C39177,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038004Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:50.400{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038003Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:50.400{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038002Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:50.179{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82AB2E471AD02D12CC0F6CEF3F1684BF,SHA256=823F66643F2A433620FF615194A9328F7E049EB243E9AA9689F3F04A10EBE6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038043Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.610{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C6BD66FAF05B2E0825DE4F83815D56,SHA256=AC93BD79425E4C5C0F45BD6A9B1496D11E594C2E3F796429A09FA05100B31A3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038042Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.401{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038041Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.401{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038040Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:48.484{64AF4F22-4081-6035-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local52610-truefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local445microsoft-ds 354300x800000000000000038039Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:48.484{64AF4F22-4081-6035-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local52610-truefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local445microsoft-ds 354300x800000000000000038038Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:47.842{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52609-false10.0.1.12-8000- 10341000x800000000000000038037Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038036Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038035Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038034Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038033Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038032Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038031Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038030Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038029Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038028Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038027Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038026Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038025Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038024Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.006{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038023Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038022Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038021Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038020Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038019Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038018Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038017Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038016Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038015Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038014Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038013Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038012Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038011Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038010Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038009Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038008Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038007Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038006Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.005{64AF4F22-4084-6035-0D00-00000000AD01}904924C:\Windows\system32\svchost.exe{64AF4F22-4258-6035-4802-00000000AD01}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038046Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:52.617{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9569D8FA30EF7C155BFDEC96C7BB37,SHA256=E0DDAE626DB39653C8B96114C2A29FA28E374E5877593A7EC98B08E25E77014C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038045Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:52.402{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038044Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:52.402{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038049Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:53.623{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2DCEAB2F0AF7401B0888DEF06BC69CD,SHA256=7796E2536A4C005484A98542FC5768B15AAB50531ABE213613D5AB8C2AEE6430,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038048Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:53.402{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038047Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:53.402{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038053Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:54.630{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B17D8267BB5FF42A1BA8DAAAD20F3BA,SHA256=7146394C8A5C9C2E8199D1A98415C5D24A0C42E0DB1E40D35EBD29EAB0B2A105,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038052Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:54.402{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038051Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:54.402{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038050Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:54.183{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EF118260992A9A0A83082863109811E,SHA256=0991ED5837E425943953D8CD664E556DFBBD6685D5EE8F2DCE925193D6B72CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038057Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:55.639{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726A4EFAF36C6E19F6C62068B78E2E88,SHA256=31D8E58091CCB5347DA46E9C0AAD52525FA456847D4A2C106E1237BD17E89577,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038056Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:55.402{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038055Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:55.402{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038054Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:51.847{64AF4F22-4095-6035-2600-00000000AD01}2888C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-177.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-177.attackrange.local51788- 23542300x800000000000000038061Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:56.641{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383DEF8F0106D464609A6F8BBDAC7CAF,SHA256=2F42B5A216D7AF1AD0F68D834BE618DB77C50D936F12611D68C0CA893950E676,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038060Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:56.403{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038059Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:56.403{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038058Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:56.220{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55A6AF5047FAFCBFCDE45225678E92DA,SHA256=A5B5D487597679C74F8DFDA7C8829649465B90C51421C777689006D12CE3D52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038066Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:57.649{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E2859D2417235923AA59915149CB2F,SHA256=B9BC930BC5786797C0D8B4CB6210DC5F00195E126A09B2FB92D4A2CC11BDDD56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038065Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:57.403{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038064Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:57.403{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038063Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:57.291{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio13227336254929786732.tmpMD5=558A7A76FD00AB52D3D94468F9BAE1A9,SHA256=67813A4F118DC6264AEFB379445288A7DA28953F5D86E693CAA955A3C6D8F0EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038062Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:53.729{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52611-false10.0.1.12-8000- 23542300x800000000000000038069Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:58.653{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9FAAE474521B40B231E09D3475CE63,SHA256=57FA6A4314298B72D660E4CCA1CD44A6E3D5D4005BAEB703F81E68681685EEB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038068Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:58.404{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038067Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:58.404{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038072Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:59.662{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCF92612AA1A6960A1CBB24736321D6,SHA256=28C5471017A0449905A47C9285F53887CB6FCB4387B8348B5ED89096DE8BBD88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038071Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:59.405{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038070Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:59.405{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038075Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:00.669{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F59C3C3D5B911DC9548D3617E0E415,SHA256=DF99863187C5E433F25D6D4018EDD607D2E16B2D8E7937DCDB6DC11B97DEF6AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038074Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:00.405{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038073Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:00.405{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038080Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:01.676{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295481AD29797EB3A0EF55CFB9E446CD,SHA256=0414C35ED83BF42E28488EF80FFC4B47A4AA938AC5901D25920E0697B254A79C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038079Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:01.405{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038078Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:01.405{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038077Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:01.223{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C215BE02297AA4667674827DA2E1996,SHA256=00F1B3CEA97A644A18B2863A2DF15BBA2B2C04FD982C21898519899EEA6EEBC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038076Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:01.222{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC94643068FDCE420341F335FB0927CB,SHA256=9A839F3F5011FEBE8C57068D1DCEA5F9EE1170A602D087D9444FD85FF5DB6A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038087Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:02.681{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE1DBDB9DBD75C8C32324D2BEDBF4A4,SHA256=DF765059D132B59CB038EFDEA6EB5EA589DF1DAC34E0668EC31E9B6074FB2419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038086Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:02.631{64AF4F22-4085-6035-1000-00000000AD01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=71CD83F94C9BD4FBCF7E2750EA9AC63A,SHA256=1C45D73951BA7E3888151959EF3662D7A4A89C9B5225A5009E86CB72307EC4F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038085Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:02.406{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038084Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:02.406{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038083Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:36:58.884{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52612-false10.0.1.12-8000- 10341000x800000000000000038082Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:02.177{64AF4F22-4084-6035-0D00-00000000AD01}9043512C:\Windows\system32\svchost.exe{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038081Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:02.177{64AF4F22-4084-6035-0D00-00000000AD01}9043512C:\Windows\system32\svchost.exe{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038090Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:03.684{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FBF9A71C094B8DC39232A42A988A23,SHA256=72D919A21BEBEB3123D51E24F75A0F4C3F5AF42B64CB9F67FCC2AFB7562C7132,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038089Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:03.406{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038088Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:03.406{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038093Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:04.692{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425586C413E7BAC0A098D6C83DA0770E,SHA256=C2E492E99B7F0442CC7D56E6BAD9CCD2C9BAB10FE8D935DFC43528C4D8905E74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038092Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:04.406{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038091Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:04.406{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038096Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:05.695{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B442229FEBE9CABFCBC4C501B23487,SHA256=365B4861A2CE6DBE814E4D4C106A77B1B5522357B4ADEA85D3E56743519FFD9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038095Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:05.406{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038094Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:05.406{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038099Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:06.701{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7804B5270C40F9981ACE78763A14F959,SHA256=2CF87D342F074506130E34908D5A2E114BB009C503B6CA3F14738667578AE106,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038098Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:06.406{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038097Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:06.406{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038104Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:07.712{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FA6089C88D75F535B9087B476A4026,SHA256=3D1D805D047B9027BEF83F4F924C5A40A4A07147083313149F9A16AD73488253,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038103Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:07.407{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038102Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:07.407{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038101Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:07.208{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=637B32165E4A477CE86A55396D4B6F91,SHA256=325E3DABC82276F27B0A79F7C5A480C9C97C097CF21C7A935B6A36BEE05C61C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038100Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:07.207{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C215BE02297AA4667674827DA2E1996,SHA256=00F1B3CEA97A644A18B2863A2DF15BBA2B2C04FD982C21898519899EEA6EEBC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038116Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:08.720{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497759BECC29FABABA771DAF7FE85746,SHA256=D55AB827DAC69BCBAF22829C64395A5B079A02E516E695C3AE0EB65082AF9F89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038115Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:08.579{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038114Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:08.578{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038113Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:08.578{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038112Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:08.577{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038111Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:08.577{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038110Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:08.577{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038109Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:08.577{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038108Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:08.565{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio8310520183290746485.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038107Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:08.408{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038106Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:08.408{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038105Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:04.785{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52613-false10.0.1.12-8000- 23542300x800000000000000038119Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:09.723{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9108B49FD839DFC35736CDFD02A03EF2,SHA256=F91045692224B54D609F87E82096A0EDC58707E9E3B9DF13488A511C0BC4FC15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038118Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:09.409{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038117Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:09.409{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038126Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:10.728{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F35AFDF77131DA3C296863D2F63412,SHA256=1FBE19E6B50401FA13950176AD0A7B3E6191C00B62FD7D6714C60BC1D0B36579,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038125Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:10.600{64AF4F22-4084-6035-0D00-00000000AD01}9043512C:\Windows\system32\svchost.exe{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038124Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:10.409{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038123Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:10.409{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038122Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:10.016{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038121Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:10.016{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038120Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:10.016{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038205Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.818{64AF4F22-4085-6035-1600-00000000AD01}13202028C:\Windows\system32\svchost.exe{64AF4F22-4B57-6035-6A0A-00000000AD01}5444C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038204Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.818{64AF4F22-4085-6035-1600-00000000AD01}13201372C:\Windows\system32\svchost.exe{64AF4F22-4B57-6035-6A0A-00000000AD01}5444C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038203Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.813{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4B57-6035-6A0A-00000000AD01}5444C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038202Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.809{64AF4F22-4255-6035-3402-00000000AD01}3725240C:\Windows\system32\csrss.exe{64AF4F22-4B57-6035-6A0A-00000000AD01}5444C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038201Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.807{64AF4F22-4082-6035-0500-00000000AD01}412428C:\Windows\system32\csrss.exe{64AF4F22-4B57-6035-6A0A-00000000AD01}5444C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038200Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.806{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4B57-6035-6A0A-00000000AD01}5444C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038199Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.799{64AF4F22-4085-6035-1600-00000000AD01}13202028C:\Windows\system32\svchost.exe{64AF4F22-4B57-6035-690A-00000000AD01}6264C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038198Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.799{64AF4F22-4085-6035-1600-00000000AD01}13201372C:\Windows\system32\svchost.exe{64AF4F22-4B57-6035-690A-00000000AD01}6264C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038197Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.797{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4B57-6035-690A-00000000AD01}6264C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038196Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.785{64AF4F22-4255-6035-3402-00000000AD01}3722196C:\Windows\system32\csrss.exe{64AF4F22-4B57-6035-690A-00000000AD01}6264C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038195Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.783{64AF4F22-4082-6035-0500-00000000AD01}412480C:\Windows\system32\csrss.exe{64AF4F22-4B57-6035-690A-00000000AD01}6264C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038194Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.783{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4B57-6035-690A-00000000AD01}6264C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038193Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.776{64AF4F22-4257-6035-3F02-00000000AD01}45604540C:\Windows\System32\RuntimeBroker.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000038192Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.776{64AF4F22-4257-6035-3F02-00000000AD01}45604540C:\Windows\System32\RuntimeBroker.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000038191Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.775{64AF4F22-4258-6035-4802-00000000AD01}49564624C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038190Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.775{64AF4F22-4258-6035-4802-00000000AD01}49564624C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038189Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.755{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038188Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.755{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038187Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.750{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038186Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.745{64AF4F22-4257-6035-3F02-00000000AD01}45604540C:\Windows\System32\RuntimeBroker.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000038185Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.745{64AF4F22-4257-6035-3F02-00000000AD01}45604540C:\Windows\System32\RuntimeBroker.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000038184Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.744{64AF4F22-4258-6035-4802-00000000AD01}4956432C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000038183Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.743{64AF4F22-4258-6035-4802-00000000AD01}4956432C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000038182Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.741{64AF4F22-4095-6035-2B00-00000000AD01}30406976C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000038181Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.741{64AF4F22-4095-6035-2B00-00000000AD01}30406976C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 10341000x800000000000000038180Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.738{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038179Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.738{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038178Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.738{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038177Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.738{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038176Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.738{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038175Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.738{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038174Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.738{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038173Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.738{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038172Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.738{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038171Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.738{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038170Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.738{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038169Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.737{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038168Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.737{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038167Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.737{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038166Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.737{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038165Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.737{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038164Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.737{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038163Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.737{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038162Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.737{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038161Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.737{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038160Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.736{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038159Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.736{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038158Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.736{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038157Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.736{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038156Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.736{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4EA4E36EF1B98FA3F53556710B66F4,SHA256=F5F5035AA0B0A47567D6CB7FB87D84A59AB2028180751F2EE36E6549FF0B20C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038155Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.736{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038154Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.736{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038153Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.735{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038152Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.735{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038151Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.735{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038150Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.735{64AF4F22-4084-6035-0D00-00000000AD01}9043392C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038149Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.735{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038148Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.735{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038147Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.735{64AF4F22-4084-6035-0D00-00000000AD01}9043764C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038146Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.734{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038145Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.734{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038144Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.734{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038143Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.734{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038142Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.734{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038141Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.734{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038140Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.734{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a344|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038139Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.733{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038138Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.733{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ad|C:\Windows\SYSTEM32\psmserviceexthost.dll+11025|C:\Windows\SYSTEM32\psmserviceexthost.dll+1089f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038137Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.733{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038136Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.733{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038135Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.733{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038134Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.733{64AF4F22-4258-6035-4802-00000000AD01}49565184C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038133Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.732{64AF4F22-4258-6035-4802-00000000AD01}49565968C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038132Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.732{64AF4F22-4258-6035-4802-00000000AD01}49565968C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038131Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.732{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038130Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.730{64AF4F22-4258-6035-4802-00000000AD01}4956432C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038129Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.730{64AF4F22-4258-6035-4802-00000000AD01}4956432C:\Windows\Explorer.EXE{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038128Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.409{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038127Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:11.409{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038221Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.784{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84410A4A00C92BE52A1C8C310B4C68B,SHA256=F522F17F9730EB779785ADFF23A1822551323662F874CE72CE35620C092FA73F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038220Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.494{64AF4F22-4257-6035-3F02-00000000AD01}45604540C:\Windows\System32\RuntimeBroker.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000038219Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.494{64AF4F22-4257-6035-3F02-00000000AD01}45604540C:\Windows\System32\RuntimeBroker.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+afc5a|C:\Windows\System32\combase.dll+a6a1d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\combase.dll+6a233|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000038218Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.493{64AF4F22-4258-6035-4802-00000000AD01}4956432C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000038217Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.493{64AF4F22-4258-6035-4802-00000000AD01}4956432C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000038216Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.490{64AF4F22-4258-6035-4802-00000000AD01}49565968C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038215Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.490{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038214Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.490{64AF4F22-4258-6035-4802-00000000AD01}49565968C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038213Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.484{64AF4F22-4258-6035-4802-00000000AD01}4956432C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000038212Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.484{64AF4F22-4258-6035-4802-00000000AD01}4956432C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000038211Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.482{64AF4F22-4258-6035-4802-00000000AD01}49565968C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038210Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.482{64AF4F22-4258-6035-4802-00000000AD01}49565968C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038209Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.410{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038208Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.410{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038207Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.033{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E4E593F81998975ADF2F7EA13D3B4E,SHA256=24E889C836DF2D9E161C5419A67FBC3AB847E8F1F00010F0485A4DF4C2E636BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038206Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:12.015{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5247E20E3F1782C9510D44030A0B4E79,SHA256=203BCBE284B6892F31C4A68456C77083410800224691161F8B9EB446995D0444,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038251Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.452{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038250Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.452{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038249Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.451{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038248Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.451{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038247Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.451{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038246Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.451{64AF4F22-4257-6035-4002-00000000AD01}16762016C:\Windows\system32\sihost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038245Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.411{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038244Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.411{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038243Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.404{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038242Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.404{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038241Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.404{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038240Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.403{64AF4F22-4095-6035-2B00-00000000AD01}30406976C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000038239Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.403{64AF4F22-4095-6035-2B00-00000000AD01}30406976C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+6657d|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a 354300x800000000000000038238Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:10.682{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52614-false10.0.1.12-8000- 10341000x800000000000000038237Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.137{64AF4F22-4258-6035-4802-00000000AD01}4956432C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000038236Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.137{64AF4F22-4258-6035-4802-00000000AD01}4956432C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+27e9|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+687f8|C:\Windows\System32\combase.dll+66c5f|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+63356|C:\Windows\System32\combase.dll+62b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000038235Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.133{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038234Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.132{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12111|C:\Windows\SYSTEM32\psmserviceexthost.dll+170a8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038233Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.132{64AF4F22-4258-6035-4802-00000000AD01}49564868C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038232Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.132{64AF4F22-4258-6035-4802-00000000AD01}49564868C:\Windows\Explorer.EXE{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038231Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.132{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038230Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.132{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038229Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.131{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038228Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.127{64AF4F22-4258-6035-4802-00000000AD01}49565184C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038227Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.127{64AF4F22-4258-6035-4802-00000000AD01}49565184C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038226Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.126{64AF4F22-4258-6035-4802-00000000AD01}49565184C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038225Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.126{64AF4F22-4258-6035-4802-00000000AD01}49565184C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038224Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.116{64AF4F22-4084-6035-0D00-00000000AD01}9043512C:\Windows\system32\svchost.exe{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038223Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.010{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EA1F00DFE0E4283D29C561FD10C88F0,SHA256=5DF0A1107293D2C7776D0FDF9B506521F93FF8D0BD2F811A6D4F9AB8CE90C5C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038222Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:13.009{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=637B32165E4A477CE86A55396D4B6F91,SHA256=325E3DABC82276F27B0A79F7C5A480C9C97C097CF21C7A935B6A36BEE05C61C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038262Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:14.428{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038261Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:14.428{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038260Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:14.428{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038259Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:14.428{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038258Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:14.427{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038257Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:14.427{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038256Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:14.427{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038255Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:14.419{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio15001592859859486939.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038254Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:14.411{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038253Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:14.411{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038252Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:14.073{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42567FFDB36CFA064B48D0E83EC60C16,SHA256=01F92A60D760266C828BD96BF0D311373667E9927078C47D3B1286FA3E82B97D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038265Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:15.411{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038264Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:15.411{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038263Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:15.150{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A526363356F32E9FE5B59EE4A5107E6,SHA256=5D6921C2D5A7210E41FDAE18756A5FA31AF19F0C1FB8AE7C143A7ADA9C689CAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038271Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:16.744{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038270Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:16.743{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038269Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:16.743{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038268Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:16.412{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038267Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:16.412{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038266Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:16.159{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998FC7A3C6EC02743AD5413A44765F98,SHA256=89611F786F9CD9974F1BA4BB2D8D86943AE3D5569F0CDFCB09DD39C87FA0B995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038278Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:17.831{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EA1F00DFE0E4283D29C561FD10C88F0,SHA256=5DF0A1107293D2C7776D0FDF9B506521F93FF8D0BD2F811A6D4F9AB8CE90C5C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038277Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:17.814{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038276Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:17.814{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038275Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:17.814{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038274Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:17.413{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038273Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:17.413{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038272Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:17.167{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FE295A58B8812BADB2BE02AD9D1777,SHA256=ED68784B69B3692FA9F73E66E5862F525D13B2017682D0F3062EC0242B9900D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038290Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:18.547{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038289Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:18.547{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038288Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:18.546{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038287Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:18.546{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038286Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:18.546{64AF4F22-4084-6035-0C00-00000000AD01}8445512C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038285Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:18.546{64AF4F22-4257-6035-4002-00000000AD01}16762016C:\Windows\system32\sihost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038284Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:18.413{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038283Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:18.413{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038282Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:18.395{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f9e|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038281Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:18.394{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 10341000x800000000000000038280Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:18.394{64AF4F22-4084-6035-0C00-00000000AD01}844872C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12eec|C:\Windows\SYSTEM32\psmserviceexthost.dll+15afb|C:\Windows\SYSTEM32\psmserviceexthost.dll+100ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+10470|C:\Windows\SYSTEM32\psmserviceexthost.dll+13922|C:\Windows\SYSTEM32\psmserviceexthost.dll+160f9|C:\Windows\SYSTEM32\psmserviceexthost.dll+16bc3|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc 23542300x800000000000000038279Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:18.175{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E360A6B151E93568C866BBFF11D2F335,SHA256=80660EE95DE7631555C9D9D3B6FC7E4F479F16FA3AAB4A99807A31A3CCE188EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038294Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:19.414{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038293Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:19.414{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038292Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:15.821{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52615-false10.0.1.12-8000- 23542300x800000000000000038291Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:19.184{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AF10D299DB289C435F85E557CE18B3,SHA256=47F5F1FA31C2BD5424EFBCD935631052B47AAD3EBAFA08CB74EF3DD9F40902D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038305Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:20.713{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B60-6035-6B0A-00000000AD01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038304Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:20.712{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038303Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:20.712{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038302Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:20.711{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038301Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:20.711{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038300Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:20.711{64AF4F22-4082-6035-0500-00000000AD01}412528C:\Windows\system32\csrss.exe{64AF4F22-4B60-6035-6B0A-00000000AD01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038299Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:20.711{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B60-6035-6B0A-00000000AD01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038298Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:20.711{64AF4F22-4B60-6035-6B0A-00000000AD01}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000038297Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:20.415{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038296Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:20.415{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038295Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:20.195{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D99E32CF8DD2974E20084618E9061FA,SHA256=CAD3CDF2B6C4E05D82A55EA123355B19F3DC58B7E271875BB720D16EE3366810,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038326Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.984{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B61-6035-6D0A-00000000AD01}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038325Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.983{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038324Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.983{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038323Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.982{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038322Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.982{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038321Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.982{64AF4F22-4082-6035-0500-00000000AD01}412528C:\Windows\system32\csrss.exe{64AF4F22-4B61-6035-6D0A-00000000AD01}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038320Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.982{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B61-6035-6D0A-00000000AD01}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038319Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.981{64AF4F22-4B61-6035-6D0A-00000000AD01}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038318Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.947{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58BCAC7BF2F25C9E3F60DD2723AE6E84,SHA256=88FFC34010AB4C4A936F9C686511A8B411BE6D149D0F6DE3F183428C003B80D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038317Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.511{64AF4F22-4B61-6035-6C0A-00000000AD01}49002120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038316Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.415{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038315Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.415{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038314Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.378{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B61-6035-6C0A-00000000AD01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038313Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.377{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038312Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.377{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038311Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.376{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038310Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.376{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038309Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.376{64AF4F22-4082-6035-0500-00000000AD01}412528C:\Windows\system32\csrss.exe{64AF4F22-4B61-6035-6C0A-00000000AD01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038308Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.376{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B61-6035-6C0A-00000000AD01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038307Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.376{64AF4F22-4B61-6035-6C0A-00000000AD01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038306Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.199{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FAE3249047854CA1250DF1623D22D11,SHA256=B28993B581AE9C1B7E799E809DEB0A40ECF192D74E286C301EE29976B33D6D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038338Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:22.985{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36EBFE2F7A8A2771CE4560D133BFC5ED,SHA256=777BB94393DF1174DECDE956BC81D8988FB46A4434C70990EE797CAAA28F37F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038337Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:22.416{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038336Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:22.416{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038335Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:22.218{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038334Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:22.218{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038333Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:22.218{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038332Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:22.215{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038331Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:22.215{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038330Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:22.214{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038329Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:22.214{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038328Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:22.210{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370F08DB68F9DFA1138E546DB3B56ABC,SHA256=3362BC065D992014B0D3CDC98F8C999EEEAC71013E4E1DA0CD498D8260D515FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038327Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:22.202{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio18064308457094414407.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038349Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:23.416{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038348Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:23.416{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038347Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:23.403{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038346Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:23.403{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038345Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:23.403{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038344Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:23.403{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038343Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:23.402{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038342Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:23.402{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038341Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:23.402{64AF4F22-4258-6035-4802-00000000AD01}49564932C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038340Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:23.394{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio7380395230016801918.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038339Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:23.220{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6590A12EDEC1580699638810C0A8A2,SHA256=ED74A3B0925F61308ED1EE72FEC6581AA3CEEC4751E4944DF7FE7F14A76E931C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038354Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:24.417{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038353Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:24.417{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038352Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:21.724{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52616-false10.0.1.12-8000- 23542300x800000000000000038351Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:24.228{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2A2DC67B2A2BC53760248313F64591,SHA256=6849B16A166268DBC95E76587DF5621DB3E05F4A30ECD439230D7A17B0EE2031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038350Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:24.108{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EC8EB15F806020C6500BD90391CFCFD,SHA256=0AA1EF5F68ABA827B3E1D1AFEB22E602CBACF562F01927C835FCF3068B181D04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038357Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:25.418{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038356Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:25.418{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038355Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:25.236{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0F2E3FDF73E048B4196D0E74D864FC,SHA256=D0ECB910B0615DB42908F077A02A77380310445052EDBAACF2B13C9B8737423A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038363Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:26.418{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038362Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:26.418{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038361Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:26.241{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D782A0045DD19C662BD58A0B237FA97E,SHA256=D566E4AAC2B1DB7DFCF04F04C66C5F09398943DCA609A01B41F71406F4DA4D3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038360Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:26.026{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038359Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:26.026{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038358Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:26.026{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038375Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:27.957{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038374Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:27.957{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038373Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:27.957{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038372Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:27.957{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038371Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:27.957{64AF4F22-4255-6035-3402-00000000AD01}3724744C:\Windows\system32\csrss.exe{64AF4F22-4B67-6035-6E0A-00000000AD01}6736C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038370Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:27.956{64AF4F22-4B3E-6035-680A-00000000AD01}70801956C:\Users\Administrator\Desktop\beacon_jquery.exe{64AF4F22-4B67-6035-6E0A-00000000AD01}6736C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f7f6|C:\Windows\System32\KERNEL32.DLL+1bcc3|UNKNOWN(0000000000F6E8A9) 154100x800000000000000038369Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:27.957{64AF4F22-4B67-6035-6E0A-00000000AD01}6736C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\dllhost.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{64AF4F22-4256-6035-0C29-150000000000}0x15290c2HighMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exe"C:\Users\Administrator\Desktop\beacon_jquery.exe" 10341000x800000000000000038368Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:27.956{64AF4F22-4085-6035-1300-00000000AD01}8604076C:\Windows\System32\svchost.exe{64AF4F22-4B67-6035-6E0A-00000000AD01}6736C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038367Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:27.884{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FC17B7544B1C37030E4BDD016476D1D,SHA256=326888380555129ECFFF2212B84F627EA8E87FC7F21231D7275840874BA46B83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038366Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:27.419{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038365Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:27.419{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038364Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:27.249{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D29D8E31746FAF85DB588E2B518263,SHA256=B4AFF8FD277D649D1EDEAC1F779F091E8552C1234BF540001F6BE5FC796B6802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038386Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:28.973{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=730A4C7E99184E9FC0637D9806BFD208,SHA256=B42DCC1FA5C34E38A2FE7A960A4092CAC3956525208C787127E239774BD297A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038385Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:28.692{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038384Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:28.692{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038383Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:28.692{64AF4F22-4258-6035-4802-00000000AD01}49563976C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 824800x800000000000000038382Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:28.563{64AF4F22-4B67-6035-6E0A-00000000AD01}6736C:\Windows\System32\dllhost.exe{64AF4F22-4083-6035-0B00-00000000AD01}628C:\Windows\System32\lsass.exe63160x000001D1EE3A0000-- 10341000x800000000000000038381Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:28.563{64AF4F22-4B67-6035-6E0A-00000000AD01}67366740C:\Windows\system32\dllhost.exe{64AF4F22-4083-6035-0B00-00000000AD01}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000020F7D210D3D) 18141800x800000000000000038380Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-ConnectPipe2021-02-23 18:37:28.560{64AF4F22-4B3E-6035-680A-00000000AD01}7080\Winsock2\CatalogChangeListener-bab-0C:\Users\Administrator\Desktop\beacon_jquery.exe 10341000x800000000000000038379Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:28.420{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038378Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:28.420{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038377Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:28.259{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300F85E4EE8BC113BB053FD017D01FB7,SHA256=B6B1FBFE9665E5EFCE0E5AE4E97AD87A8633AB3BB6E80AD1C0EF50417B522342,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000038376Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-CreatePipe2021-02-23 18:37:28.064{64AF4F22-4B67-6035-6E0A-00000000AD01}6736\Winsock2\CatalogChangeListener-bab-0C:\Windows\system32\dllhost.exe 10341000x800000000000000038404Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.666{64AF4F22-4B69-6035-6F0A-00000000AD01}26886800C:\Windows\system32\dllhost.exe{64AF4F22-4083-6035-0B00-00000000AD01}628C:\Windows\system32\lsass.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001D14A08C798) 10341000x800000000000000038403Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.663{64AF4F22-4083-6035-0B00-00000000AD01}628756C:\Windows\system32\lsass.exe{64AF4F22-4B69-6035-6F0A-00000000AD01}2688C:\Windows\system32\dllhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038402Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.663{64AF4F22-4083-6035-0B00-00000000AD01}628756C:\Windows\system32\lsass.exe{64AF4F22-4B69-6035-6F0A-00000000AD01}2688C:\Windows\system32\dllhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x800000000000000038401Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-ConnectPipe2021-02-23 18:37:29.663{64AF4F22-4B3E-6035-680A-00000000AD01}7080\Winsock2\CatalogChangeListener-38a-0C:\Users\Administrator\Desktop\beacon_jquery.exe 10341000x800000000000000038400Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.421{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038399Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.421{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x800000000000000038398Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-CreatePipe2021-02-23 18:37:29.349{64AF4F22-4B69-6035-6F0A-00000000AD01}2688\Winsock2\CatalogChangeListener-38a-0C:\Windows\system32\dllhost.exe 354300x800000000000000038397Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:26.503{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-177.attackrange.local52617-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x800000000000000038396Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.267{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE11627B83F4EC1ABCE70AE079AED5DE,SHA256=6E46389BB286A26026DC465A14FA115C474FD28E8E8FD38474AF49BD0FB5EE6E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000038395Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.169{64AF4F22-4B69-6035-6F0A-00000000AD01}2688C:\Windows\System32\dllhost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000038394Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.062{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038393Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.062{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038392Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.062{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038391Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.062{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038390Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.061{64AF4F22-4255-6035-3402-00000000AD01}3722196C:\Windows\system32\csrss.exe{64AF4F22-4B69-6035-6F0A-00000000AD01}2688C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038389Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.061{64AF4F22-4B3E-6035-680A-00000000AD01}70801956C:\Users\Administrator\Desktop\beacon_jquery.exe{64AF4F22-4B69-6035-6F0A-00000000AD01}2688C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f7f6|C:\Windows\System32\KERNEL32.DLL+1bcc3|UNKNOWN(0000000000F6E8A9) 154100x800000000000000038388Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.061{64AF4F22-4B69-6035-6F0A-00000000AD01}2688C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\dllhost.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{64AF4F22-4256-6035-0C29-150000000000}0x15290c2HighMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exe"C:\Users\Administrator\Desktop\beacon_jquery.exe" 10341000x800000000000000038387Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.061{64AF4F22-4085-6035-1300-00000000AD01}8604076C:\Windows\System32\svchost.exe{64AF4F22-4B69-6035-6F0A-00000000AD01}2688C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038424Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.421{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038423Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.421{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038422Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:26.851{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52618-false10.0.1.12-8000- 23542300x800000000000000038421Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.277{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996176221E6F7C5E47E543FDF31F6C1E,SHA256=2D224C4B844CDA8BF54621161B1644FD41E0309053603497662C153D8680E1AB,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000038420Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-CreatePipe2021-02-23 18:37:30.200{64AF4F22-4B6A-6035-700A-00000000AD01}3480\MSSE-1342-server\\127.0.0.1\ADMIN$\4cd3ee7.exe 10341000x800000000000000038419Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.199{64AF4F22-4083-6035-0A00-00000000AD01}6207156C:\Windows\system32\services.exe{64AF4F22-4B6A-6035-700A-00000000AD01}3480\\127.0.0.1\ADMIN$\4cd3ee7.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038418Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.185{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038417Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.185{64AF4F22-4082-6035-0500-00000000AD01}412428C:\Windows\system32\csrss.exe{64AF4F22-4B6A-6035-700A-00000000AD01}3480\\127.0.0.1\ADMIN$\4cd3ee7.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038416Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.185{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038415Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.185{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038414Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.185{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038413Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.184{64AF4F22-4083-6035-0A00-00000000AD01}6207104C:\Windows\system32\services.exe{64AF4F22-4B6A-6035-700A-00000000AD01}3480\\127.0.0.1\ADMIN$\4cd3ee7.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\system32\services.exe+21fc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 154100x800000000000000038412Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.174{64AF4F22-4B6A-6035-700A-00000000AD01}3480\\127.0.0.1\ADMIN$\4cd3ee7.exe-----\\127.0.0.1\ADMIN$\4cd3ee7.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=CDA30E6AF47CAF6E94E63D0F30741DBE,SHA256=D9AF30D3A505036CF5C0FEA96A66D2781A4CAF90681652E808619939CBA074DA,IMPHASH=BED5688A4A2B5EA6984115B458755E90{64AF4F22-4083-6035-0A00-00000000AD01}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 13241300x800000000000000038411Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-SetValue2021-02-23 18:37:30.168{64AF4F22-4083-6035-0A00-00000000AD01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\4cd3ee7\ObjectNameLocalSystem 13241300x800000000000000038410Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.localT1031,T1050SetValue2021-02-23 18:37:30.168{64AF4F22-4083-6035-0A00-00000000AD01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\4cd3ee7\ImagePath\\127.0.0.1\ADMIN$\4cd3ee7.exe 13241300x800000000000000038409Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-SetValue2021-02-23 18:37:30.168{64AF4F22-4083-6035-0A00-00000000AD01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\4cd3ee7\ErrorControlDWORD (0x00000000) 13241300x800000000000000038408Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.localT1031,T1050SetValue2021-02-23 18:37:30.168{64AF4F22-4083-6035-0A00-00000000AD01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\4cd3ee7\StartDWORD (0x00000003) 13241300x800000000000000038407Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-SetValue2021-02-23 18:37:30.168{64AF4F22-4083-6035-0A00-00000000AD01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\4cd3ee7\TypeDWORD (0x00000010) 11241100x800000000000000038406Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.localEXE2021-02-23 18:37:30.167{64AF4F22-4081-6035-0100-00000000AD01}4SystemC:\Windows\4cd3ee7.exe2021-02-23 18:37:30.167 23542300x800000000000000038405Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.097{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF30A8E245F797BDB045DC9DA5EF5FA0,SHA256=E542C6D36DAEE2FC2CEEB25BAE36377C7587398A250C629B7B9A16671DF2264A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038444Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.422{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038443Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.422{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038442Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.409{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF8CC4812C52197D1D0C56AFFEDCD01,SHA256=466B39F40729DF281D74DF7FA446591914A39ADBC08DD51846DEEB1124D43666,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038441Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:28.835{64AF4F22-4081-6035-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse127.0.0.1win-dc-177.attackrange.local52619-false127.0.0.1win-dc-177.attackrange.local445microsoft-ds 354300x800000000000000038440Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:28.835{64AF4F22-4081-6035-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruefalse127.0.0.1win-dc-177.attackrange.local52619-false127.0.0.1win-dc-177.attackrange.local445microsoft-ds 17141700x800000000000000038439Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-CreatePipe2021-02-23 18:37:31.252{64AF4F22-4B6B-6035-710A-00000000AD01}6748\msagent_cfC:\Windows\System32\rundll32.exe 23542300x800000000000000038438Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.252{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3805FD1160A5D84DDF7A26F87F814034,SHA256=4CFAAB56B329936EFBD1CA14D507EBCE8E5309B6B90C62CADB8C0DBC4A64F956,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038437Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.245{64AF4F22-4083-6035-0B00-00000000AD01}628756C:\Windows\system32\lsass.exe{64AF4F22-4B6B-6035-710A-00000000AD01}6748C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038436Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.245{64AF4F22-4083-6035-0B00-00000000AD01}628756C:\Windows\system32\lsass.exe{64AF4F22-4B6B-6035-710A-00000000AD01}6748C:\Windows\System32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 534500x800000000000000038435Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.234{64AF4F22-4B6A-6035-700A-00000000AD01}3480\\127.0.0.1\ADMIN$\4cd3ee7.exe 10341000x800000000000000038434Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.233{64AF4F22-4082-6035-0500-00000000AD01}412428C:\Windows\system32\csrss.exe{64AF4F22-4B6B-6035-710A-00000000AD01}6748C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038433Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.232{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038432Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.232{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038431Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.232{64AF4F22-4B6A-6035-700A-00000000AD01}34807004\\127.0.0.1\ADMIN$\4cd3ee7.exe{64AF4F22-4B6B-6035-710A-00000000AD01}6748C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f7f6|C:\Windows\System32\KERNEL32.DLL+1bcc3|\\127.0.0.1\ADMIN$\4cd3ee7.exe+1701|\\127.0.0.1\ADMIN$\4cd3ee7.exe+194c|\\127.0.0.1\ADMIN$\4cd3ee7.exe+1aa8|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038430Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.232{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038429Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.232{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038428Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.231{64AF4F22-4B6B-6035-710A-00000000AD01}6748C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{64AF4F22-4B6A-6035-700A-00000000AD01}3480\\127.0.0.1\ADMIN$\4cd3ee7.exe\\127.0.0.1\ADMIN$\4cd3ee7.exe 18141800x800000000000000038427Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-ConnectPipe2021-02-23 18:37:31.226{64AF4F22-4B6A-6035-700A-00000000AD01}3480\MSSE-1342-server\\127.0.0.1\ADMIN$\4cd3ee7.exe 23542300x800000000000000038426Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.176{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3BA3F28CB54A012F007C80CFB77C8A1B,SHA256=F282F682BF772410A597F8D248EE4B05A517487D02E4D54CE6F166DA781C286B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038425Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.175{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A509F495F8543FAE8A7DC550BAF17A7,SHA256=96BAD8D5A2532B51A4288D7072AC6D8CF480E02449451C348BC7EAA190381789,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038462Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.448{64AF4F22-4B6C-6035-720A-00000000AD01}63606484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038461Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.422{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038460Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.422{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038459Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.336{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E562EC5E9169F11BF7D2C7911D978B48,SHA256=B7E6EF22111DBAA76765784A9C821E24A93992AF31AD87A490C5F89A4A5FC57F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038458Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.311{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B6C-6035-720A-00000000AD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038457Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.309{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038456Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.308{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038455Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.308{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038454Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.308{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038453Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.308{64AF4F22-4082-6035-0500-00000000AD01}412428C:\Windows\system32\csrss.exe{64AF4F22-4B6C-6035-720A-00000000AD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038452Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.308{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B6C-6035-720A-00000000AD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038451Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.176{64AF4F22-4B6C-6035-720A-00000000AD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038450Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.254{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7A17DC51427E48F49A014A55CEF8B9B,SHA256=D383A01275B48AD3B346E502DA58743FD38EF990F034464BF91E29D3C7637CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038449Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.237{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3BA3F28CB54A012F007C80CFB77C8A1B,SHA256=F282F682BF772410A597F8D248EE4B05A517487D02E4D54CE6F166DA781C286B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038448Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.205{64AF4F22-4081-6035-0100-00000000AD01}4NT AUTHORITY\SYSTEMSystemC:\Windows\4cd3ee7.exeMD5=CDA30E6AF47CAF6E94E63D0F30741DBE,SHA256=D9AF30D3A505036CF5C0FEA96A66D2781A4CAF90681652E808619939CBA074DA,IMPHASH=BED5688A4A2B5EA6984115B458755E90truetrue 12241200x800000000000000038447Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-DeleteKey2021-02-23 18:37:32.202{64AF4F22-4083-6035-0A00-00000000AD01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\4cd3ee7 13241300x800000000000000038446Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.localT1031,T1050SetValue2021-02-23 18:37:32.202{64AF4F22-4083-6035-0A00-00000000AD01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\4cd3ee7\StartDWORD (0x00000004) 13241300x800000000000000038445Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-SetValue2021-02-23 18:37:32.202{64AF4F22-4083-6035-0A00-00000000AD01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\4cd3ee7\DeleteFlagDWORD (0x00000001) 10341000x800000000000000038491Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.867{64AF4F22-4B6D-6035-740A-00000000AD01}32366344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038490Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.729{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B6D-6035-740A-00000000AD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038489Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.727{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038488Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.727{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038487Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.726{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038486Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.726{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038485Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.726{64AF4F22-4082-6035-0500-00000000AD01}412480C:\Windows\system32\csrss.exe{64AF4F22-4B6D-6035-740A-00000000AD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038484Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.726{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B6D-6035-740A-00000000AD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038483Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.725{64AF4F22-4B6D-6035-740A-00000000AD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038482Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.454{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28EC4434E66B096D22FFEEFE92C7CDED,SHA256=53F4AD7C795F62EEF49E13ACDCFFE88C14B5E52DEC4BA45845FDFB1913FE8D7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038481Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.423{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038480Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.423{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 22542200x800000000000000038479Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:29.931{64AF4F22-4B6B-6035-710A-00000000AD01}6748win-dc-177010.0.1.14;C:\Windows\System32\rundll32.exe 10341000x800000000000000038478Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.367{64AF4F22-4095-6035-2D00-00000000AD01}30641364C:\Windows\sysmon64.exe{64AF4F22-4B6B-6035-710A-00000000AD01}6748C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ntdll.dll+6cdaa|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038477Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.344{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE144B5491E9174FE2FF9804B6496BF,SHA256=3FDBEC78017C958CBFA1D3FF4902F57BCE7DB060C9BDABB9E0E6B164E1E8DA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038476Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.321{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio10301623461648475705.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038475Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.205{64AF4F22-4083-6035-0B00-00000000AD01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-177.attackrange.local52620-true0:0:0:0:0:0:0:1win-dc-177.attackrange.local389ldap 354300x800000000000000038474Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:30.205{64AF4F22-4095-6035-2700-00000000AD01}2896C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-177.attackrange.local52620-true0:0:0:0:0:0:0:1win-dc-177.attackrange.local389ldap 23542300x800000000000000038473Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.284{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio4291667398423485035.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038472Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.219{64AF4F22-4B6C-6035-730A-00000000AD01}68446668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 18141800x800000000000000038471Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-ConnectPipe2021-02-23 18:37:33.206{64AF4F22-4B3E-6035-680A-00000000AD01}7080\msagent_cfC:\Users\Administrator\Desktop\beacon_jquery.exe 10341000x800000000000000038470Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.084{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B6C-6035-730A-00000000AD01}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038469Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.082{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038468Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.081{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038467Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.081{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038466Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.081{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038465Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.081{64AF4F22-4082-6035-0500-00000000AD01}412480C:\Windows\system32\csrss.exe{64AF4F22-4B6C-6035-730A-00000000AD01}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038464Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:33.081{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B6C-6035-730A-00000000AD01}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038463Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.951{64AF4F22-4B6C-6035-730A-00000000AD01}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038503Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:34.825{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B9279FAB9507B427A4F298B1AF16692,SHA256=02D757DB7199801E8D00AFA9FFB44A8DDE7F6E6C5BC679CCFD138AF1156D7A28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038502Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:34.524{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B6E-6035-750A-00000000AD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038501Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:34.522{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038500Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:34.522{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038499Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:34.521{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038498Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:34.521{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038497Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:34.521{64AF4F22-4082-6035-0500-00000000AD01}412528C:\Windows\system32\csrss.exe{64AF4F22-4B6E-6035-750A-00000000AD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038496Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:34.521{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B6E-6035-750A-00000000AD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038495Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:34.390{64AF4F22-4B6E-6035-750A-00000000AD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000038494Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:34.423{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038493Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:34.423{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038492Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:34.351{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF089DD6E176855DE0802D1EC36F293F,SHA256=B3DFB00BD9946875CC8F64C82EF39E596FB464D2B0B5C87FC0C66956920BB3E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038508Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:35.423{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038507Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:35.423{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038506Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:35.361{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1DC8CBAEA0ADDD98732A319A46F832,SHA256=185E52B76BAE3471EE1B6889012B08D4D6DAB2ECBAD5D2555B0235C8E9E9FECD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038505Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:32.742{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52622-false10.0.1.12-8000- 354300x800000000000000038504Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:31.895{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-177.attackrange.local52621-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x800000000000000038511Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:36.424{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038510Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:36.424{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038509Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:36.365{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC33C7B4A705A7EA1375A1B4B17FAC77,SHA256=FA86B6499AB9D00BED1C7E7382C386304B1F8186019F74D282FE180F05629B62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038514Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:37.425{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038513Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:37.425{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038512Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:37.371{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3222B0263658B7956DBB41E2ADC7AF57,SHA256=8E50F69B6DC5BC930DB0482B3173A7A71A759A8956C3A083A03E81702B972266,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038517Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:38.426{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038516Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:38.426{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038515Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:38.374{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDDA9328D946EC6B04E713BB030CE5F,SHA256=029B129BFCA077F1602BFF50DF2BC436A5B94470A387A0A738F269095D2777E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038521Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:39.763{64AF4F22-4104-6035-CF01-00000000AD01}856NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=383FF891B54042AF48D937003E34CF57,SHA256=987B086468067B1523CD4B7B9BD1DACA3B756BBC54E50911C45E1BF247EAF284,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038520Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:39.427{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038519Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:39.427{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038518Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:39.377{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25790B0BCBDC930FBECE9A335AF8CD7F,SHA256=DB335125ADED185797DB044B6C7DAD30EED88D521CE2245813E8BEFC76D810B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038526Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:40.427{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038525Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:40.427{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038524Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:40.381{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215BE78AC66EB359576C252BE57F8029,SHA256=2B16EF84EC966314BA8E768106E9D263BF0FA9C4904007D58D6834C171DF85A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038523Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:40.222{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D16707B06D072D4D64E50DBE98E4FD4,SHA256=8D759A98EE2B191438374F2CB59F1B1B6FA9E71D8BD8F5FBE2169773C94607B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038522Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:40.221{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67713A5BB39F7F8CE66AEEBB24862A7D,SHA256=1138F4FE574317A5D10B8A510E2A39A9D2441F48B261AFBDA558762F610DDC9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038531Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:41.428{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038530Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:41.428{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038529Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:41.389{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A55E241386C72DF0A7CE546EC46B02,SHA256=F38026F2B47BBDDA4CE3B390774ED38071CEB84089B6D1FF7030E6046D131F3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038528Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:38.428{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52624-false10.0.1.12-8089- 354300x800000000000000038527Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:37.886{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52623-false10.0.1.12-8000- 10341000x800000000000000038534Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:42.429{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038533Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:42.429{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038532Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:42.395{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E5A310DC06D3ACBB703883254B24C4,SHA256=3FD3CB3A99636F4F8E95465B6AFCA54343859DA0CF9A5588EEEF45CD0B422B96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038537Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:43.430{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038536Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:43.430{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038535Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:43.399{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37AC04AB6DC9EA8E55C747846BE8584,SHA256=80BF237944AD3052B3D373BA8434BA20BE3D0A21A6B39E91CA80AA2EAA12B393,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038540Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:44.430{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038539Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:44.430{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038538Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:44.404{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD2008E6B5F5B6D2ACC1B768A7C3EC4,SHA256=F14AC729461E734A4745162A7556B43A886CE86357837AC50A585E64B2FEC0A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038551Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:45.692{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038550Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:45.692{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038549Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:45.692{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038548Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:45.691{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038547Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:45.691{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038546Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:45.691{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038545Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:45.691{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038544Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:45.683{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio9185623867951181362.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038543Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:45.431{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038542Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:45.431{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038541Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:45.414{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F0862FDA1D096677F16FA953DB2476,SHA256=CA66372FE97FD8F6FB0FC6139513AA6231C2D20C8808AC9DD29665E090AA3745,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038556Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:46.431{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038555Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:46.431{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038554Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:46.419{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95075D765C25CFA8127B652D285BA4D,SHA256=4D64D7938AB0B5919F93438CF5F8CA6697E378A7B75946578A727FA85149145D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038553Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:46.110{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=406A6F26203E8EE0095A1BBA6BE7E1CF,SHA256=8103543218ED8F519EC39641E0181CBECC542D0A0AE140D3458CC3F9FD163B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038552Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:46.110{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D16707B06D072D4D64E50DBE98E4FD4,SHA256=8D759A98EE2B191438374F2CB59F1B1B6FA9E71D8BD8F5FBE2169773C94607B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038560Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:47.431{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038559Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:47.431{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038558Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:47.428{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41702C9A2918454E7FBD5CBEDC028C0E,SHA256=210D522DF9CFE1CF69DD43CF8F7C408281769D0419029FB22196E156C82D6267,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038557Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:43.776{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52625-false10.0.1.12-8000- 23542300x800000000000000038563Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:48.434{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21126D7CD303A3B2F6372F6A2D59D663,SHA256=DE61EE335F43BE89324CC940DF8EBF4925AE3220DB3198F7762FD41CCC68B66B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038562Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:48.432{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038561Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:48.432{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038566Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:49.437{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CA63AD4D19270DCDEC22891F2BACAC,SHA256=117480E92BFBE67D0F8F2331AFB5D5CED7A8AB83472E006F5C71593725E66B70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038565Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:49.432{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038564Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:49.432{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038572Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:50.441{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C80C93B729BA0B9E2E72C1962B368F2,SHA256=2B71FB05382F99A305CBC13162F3B533CF744424A0EBF44B424C4E24453588CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038571Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:50.433{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038570Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:50.433{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038569Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:50.393{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038568Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:50.393{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038567Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:50.392{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038575Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:51.549{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E18B3F7CFC2ABEEF202B17274CF0801,SHA256=3C5021D1874FAE18AD39FF8B7C86F1C83EF31EA775AF8CAD903E2C9D3D60ACD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038574Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:51.434{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038573Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:51.434{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038581Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:52.556{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB2E231599C760C84BEE6D68C59B8DE,SHA256=D323763909DD845967BF495343D302A332F8856B7AE1ADF42927B7E76E04C377,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038580Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:52.434{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038579Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:52.434{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038578Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:49.674{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52626-false10.0.1.12-8000- 23542300x800000000000000038577Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:52.011{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CBFA04A19AA7564016668F038C5F1E8,SHA256=FEBA6C0E2157198B1529D4DD64D8B7912025A58784E359FBD6BBC4B93204ED9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038576Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:52.010{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=406A6F26203E8EE0095A1BBA6BE7E1CF,SHA256=8103543218ED8F519EC39641E0181CBECC542D0A0AE140D3458CC3F9FD163B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038584Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:53.564{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31CEFBE54D2C71B2039F36F45424E5B,SHA256=7024C85BA99E5BCCC4B58950E1132792B93EDC343D3ABD322F6E6EB8524B0A51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038583Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:53.434{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038582Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:53.434{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038587Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:54.567{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2947189F705C55D680E034236D48BFC4,SHA256=942C408AC5F2C71195BA2F6FE8FDF4A13BA31123ED3759E90F63B605CCA57D12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038586Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:54.435{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038585Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:54.435{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038592Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:55.582{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio9444920207692350783.tmpMD5=F0A05BBE37F5099DB3E64D1BFF5D81BC,SHA256=0A9F032EF90E9E832EB804489C816F2657D0CFE57DD32412355BEEAEF7423AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038591Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:55.576{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8623BD6A3EAC3D89212F7CC3CF08D9CF,SHA256=573B168CEBE256656AD1806A76A7C982E0ED1A6425BC7E9EA19E39C257306A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038590Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:55.563{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio4543211834875831203.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038589Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:55.436{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038588Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:55.436{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038595Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:56.584{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB7A7DBD83BAF8688B51D6D1C015337,SHA256=2652C6B24E1C1F2CC777F399AE5C0A0CFF3E7DC4D2A50594EB4467EDFCDBD54F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038594Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:56.437{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038593Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:56.437{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x800000000000000038602Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-SetValue2021-02-23 18:37:57.609{64AF4F22-4085-6035-1100-00000000AD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d70a13-0x01792128) 23542300x800000000000000038601Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:57.591{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467CA0BCB5D93B2CB4F6F74EEA2FF713,SHA256=D3DD53B2BCCF747A5F2347A78D33E1146373EC39492BC58D7E86FF4D409243B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038600Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:57.437{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038599Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:57.437{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038598Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:54.802{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52627-false10.0.1.12-8000- 23542300x800000000000000038597Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:57.254{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB3EE3540D8615726446BD74E4F899CB,SHA256=F201005BC2009ED97709497AABA93D4A5E9E8B7E5D88F1DFD212C952F5397C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038596Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:57.253{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CBFA04A19AA7564016668F038C5F1E8,SHA256=FEBA6C0E2157198B1529D4DD64D8B7912025A58784E359FBD6BBC4B93204ED9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038605Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:58.611{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD380BA022086C6CF7B12030C4EAC5AB,SHA256=E7856A60CF16D7DF7B86443158C416E97033FD5126354BED82701D15BDE016A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038604Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:58.438{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038603Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:58.438{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038608Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:59.617{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1013B7E114F5018E07BAC7F196598A05,SHA256=79F8550F05FE4E3420AA25CE1F011995DB90B79252401CBB20C905EFCA897C4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038607Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:59.439{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038606Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:37:59.439{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038611Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:00.621{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6F70089FDF7599B8D4F9CA3EA7C9AB,SHA256=C9FFF9F1F06621B4FEC866E720333E623097D98DCE15A8B56378B32A8C716EF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038610Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:00.439{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038609Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:00.439{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038614Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:01.627{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F00991C514A769E0CF6170A0E9EEAF,SHA256=F875AC2E424637D9B72AF34603E4761CF3DD5080868F9F8C9594D816C50576FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038613Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:01.440{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038612Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:01.440{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038626Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:02.633{64AF4F22-4085-6035-1000-00000000AD01}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AAE9A1BA8705E602D38B3FE350A4097B,SHA256=8EAA152D0AF56CA7155E56A9917C9BBD9D74C02DDA259E0460CBA206BD8E6FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038625Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:02.631{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBB16754DA966941A3F6CEDB4DCD21D,SHA256=BD7B2D761EFB5064181DD3398DFDB20D5147EACF75C36008CE64863D65A6FF44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038624Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:02.440{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038623Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:02.440{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038622Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:02.380{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038621Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:02.379{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038620Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:02.379{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038619Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:02.379{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038618Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:02.379{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038617Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:02.379{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038616Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:02.378{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038615Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:02.367{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio8946381275536319588.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038632Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:03.642{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CDCC404378A8EDBAACDCD930ABC30B,SHA256=1D14B16AC0190BBCA8C217CF5D7C327E096CCBEDB4BC6C8FFD423E0C9AB084AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038631Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:03.441{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038630Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:03.441{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038629Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:00.683{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52628-false10.0.1.12-8000- 23542300x800000000000000038628Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:03.235{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20F6A34D35BDEB4DE059D49D6DBFC11C,SHA256=CE10D76912D1773F89827C32803096457484A4176878792EA31C82B6D000905F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038627Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:03.235{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB3EE3540D8615726446BD74E4F899CB,SHA256=F201005BC2009ED97709497AABA93D4A5E9E8B7E5D88F1DFD212C952F5397C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038635Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:04.649{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E507648E08F062D18B359933D7B061,SHA256=9D73DAE060DCECF85146F8C237D27B82B25573A175D91CF5F36FFC2D5E5500EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038634Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:04.442{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038633Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:04.442{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038638Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:05.654{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE42E0CAD6FCCBA8FB928C2D83C289A9,SHA256=96F7CA27C751F1B2D4B1D6C1872F3F86A3EBCC4518930752DD6CA68B964DA446,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038637Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:05.443{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038636Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:05.443{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038649Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:06.675{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038648Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:06.674{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038647Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:06.674{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038646Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:06.672{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038645Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:06.672{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038644Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:06.671{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038643Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:06.671{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038642Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:06.664{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio17304821097745753359.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038641Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:06.658{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEECFD40BD1629153C6AFB2367D3BB2,SHA256=2FD542125CFBA1A4DE2E1ECB6BDCF6DF97A86E9908B93134C74F4D51AD14072E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038640Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:06.443{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038639Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:06.443{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038652Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:07.669{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F362678B331C72BA5F62352071332345,SHA256=A9034E2459929D0922C213B0153A2BE5F38846E1D06BFB0F2D9FDBAFD3ABA7E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038651Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:07.443{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038650Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:07.443{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038660Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:08.677{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DE4099CF768B88629A4B6E844556E8,SHA256=F5E1200F7C738CC4FE8F5E0D9EC02B805F6CB140D0485527C41788E339D006A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038659Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:08.539{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038658Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:08.538{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038657Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:08.538{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038656Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:08.444{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038655Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:08.444{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038654Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:08.260{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96841FDF0F004DB8FB682FD5BD3CD256,SHA256=9BBE377ED8916793205985798255A402FF2E30A6913BCAABEC28693E895B610C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038653Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:08.259{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20F6A34D35BDEB4DE059D49D6DBFC11C,SHA256=CE10D76912D1773F89827C32803096457484A4176878792EA31C82B6D000905F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038672Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:09.683{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0955FF3390A93C6D3C53F025556EF1FF,SHA256=70CF5F735F60CFDFAF0E4E23C0AB0049EEF2A99A4E938ABEF4C98A8A1BA2D0EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038671Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:09.540{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038670Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:09.540{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038669Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:09.539{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038668Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:09.539{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038667Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:09.539{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038666Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:09.539{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038665Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:09.538{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038664Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:09.531{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio11621662725431025984.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038663Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:09.444{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038662Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:09.444{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038661Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:05.821{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52629-false10.0.1.12-8000- 23542300x800000000000000038675Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:10.688{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7703CE009CC531881BAB4E96E6F3CCDF,SHA256=AC2D75E1E11D77DA4B0B91771BFA142375D344E35456B50FE288AD351A207C65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038674Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:10.444{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038673Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:10.444{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038678Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:11.695{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1843730A4349FC2835407D206E9BA7,SHA256=256D46AB26F402B3850459D23BCFAAC2E858A7F82579E81A6D9546877E5BE841,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038677Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:11.444{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038676Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:11.444{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038684Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:12.699{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B800A873EAD04C9DCFB85F87810988,SHA256=5B46AC390C92A9FD06481034F03E2F7DB6D119084AAEB35028BB91605D23C3E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038683Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:12.445{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038682Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:12.445{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038681Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:12.364{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038680Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:12.364{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038679Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:12.364{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038691Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:13.706{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DFB0663C8FC72A2C21077B803CA186,SHA256=9764A8DD034DD0A2313E3BC45EB9731130AE74B7E97E3065861722FA0D13FC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038690Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:13.594{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio12838151347357249683.tmpMD5=1787E49257FB1AC64E6E00155AFA2785,SHA256=D33C3C7FD47D99B3BB581468B6CC3E78391A9C685EEEE7AD4ACCA28C523F7CFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038689Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:13.587{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038688Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:13.587{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038687Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:13.587{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038686Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:13.445{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038685Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:13.445{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038699Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:14.713{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80532A50697AB374D547E5DB54E258D6,SHA256=215962DF31EE03DC1237B95C57BF5C319C55F112C0F1D4A8AEFBA06ABF726B2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038698Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:14.445{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038697Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:14.445{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038696Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:11.729{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52630-false10.0.1.12-8000- 23542300x800000000000000038695Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:14.137{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio16837338317957456821.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038694Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:14.108{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=107F1FF403C809C2A6A3EC802D033AEF,SHA256=BCCBEE840B680719EBCFE073CF0923CFA85936164C33CBD1C212F2A97155AC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038693Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:14.107{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio18212963521583988003.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038692Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:14.107{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96841FDF0F004DB8FB682FD5BD3CD256,SHA256=9BBE377ED8916793205985798255A402FF2E30A6913BCAABEC28693E895B610C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038704Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:15.717{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A3E452CDC3E71E143277348980E588,SHA256=86261380154EA4E9E59F2E1E84DC0D52D996B52A3AE6A1B62BEF77DC77A8D956,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038703Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:15.445{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038702Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:15.445{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038701Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:12.187{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-177.attackrange.local52632-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x800000000000000038700Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:12.104{64AF4F22-4B3E-6035-680A-00000000AD01}7080C:\Users\Administrator\Desktop\beacon_jquery.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-177.attackrange.local52631-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x800000000000000038707Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:16.723{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E4811DB29D04EB783EEDDD511CFA19,SHA256=768603A8CFF683851435D266BE8D3C242BF8E88CF7F87F64ACC25011F3AFD2D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038706Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:16.446{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038705Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:16.446{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038710Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:17.727{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8C6896B5C3AFE1AE916E1733148A6F,SHA256=67DD35BCC5B9723B23ED10A0AEECC688B87EEA129EDAD3C8ECCBE42D20978CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038709Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:17.447{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038708Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:17.447{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038713Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:18.742{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE204C7E5FC4618782BF923E22E9D82F,SHA256=03C73DC2E10701F6DF5CA1EFCA2801CCDD59FB97B2201BC6F944F39E2C0A185B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038712Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:18.447{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038711Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:18.447{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038718Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:19.749{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327D3A21C919D7820D84B912E8DA5687,SHA256=68FC32E62CB52BE2FFE6DCE6420B796F237CD5760B64A18118D8B9C14E585E89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038717Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:19.448{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038716Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:19.448{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038715Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:19.204{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E9F40170832DC8298215D19D421DF88,SHA256=BD8FF99964BD9F886FC145873C61B208A84244E89DC3EB2D1457B8B9AB7EFA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038714Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:19.203{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=107F1FF403C809C2A6A3EC802D033AEF,SHA256=BCCBEE840B680719EBCFE073CF0923CFA85936164C33CBD1C212F2A97155AC79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038731Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:20.854{64AF4F22-4B9C-6035-760A-00000000AD01}54843088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038730Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:20.756{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99328D3BBD69087611EFF222B7CB5201,SHA256=C08DAC554625CFED313EA3E8C1827AED97D950B8D64B8205C35BE7CF4CB5510A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038729Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:20.721{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B9C-6035-760A-00000000AD01}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038728Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:20.720{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038727Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:20.720{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038726Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:20.719{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038725Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:20.719{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038724Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:20.719{64AF4F22-4082-6035-0500-00000000AD01}412428C:\Windows\system32\csrss.exe{64AF4F22-4B9C-6035-760A-00000000AD01}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038723Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:20.719{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B9C-6035-760A-00000000AD01}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038722Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:20.718{64AF4F22-4B9C-6035-760A-00000000AD01}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000038721Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:20.449{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038720Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:20.449{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038719Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:16.870{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52633-false10.0.1.12-8000- 23542300x800000000000000038743Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:21.788{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E9F40170832DC8298215D19D421DF88,SHA256=BD8FF99964BD9F886FC145873C61B208A84244E89DC3EB2D1457B8B9AB7EFA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038742Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:21.763{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD88284766A3241338072D9D28AF8E7,SHA256=B9D698FA767F56348B0D2D930105F889A508A311FE86403BCA052C2853625965,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038741Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:21.449{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038740Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:21.449{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038739Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:21.402{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B9D-6035-770A-00000000AD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038738Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:21.401{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038737Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:21.401{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038736Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:21.400{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038735Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:21.400{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038734Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:21.400{64AF4F22-4082-6035-0500-00000000AD01}412480C:\Windows\system32\csrss.exe{64AF4F22-4B9D-6035-770A-00000000AD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038733Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:21.400{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B9D-6035-770A-00000000AD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038732Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:21.399{64AF4F22-4B9D-6035-770A-00000000AD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038754Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:22.774{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CBFF6B8A093CB548F72F2F21081888,SHA256=048FB496368CF2DB5D377C2D104649C2DDE04B2AA0FC543C5E4F122BE85A3C87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038753Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:22.450{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038752Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:22.450{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038751Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:22.066{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4B9E-6035-780A-00000000AD01}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038750Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:22.064{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038749Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:22.064{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038748Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:22.064{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038747Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:22.063{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038746Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:22.063{64AF4F22-4082-6035-0500-00000000AD01}412528C:\Windows\system32\csrss.exe{64AF4F22-4B9E-6035-780A-00000000AD01}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038745Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:22.063{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4B9E-6035-780A-00000000AD01}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038744Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:22.062{64AF4F22-4B9E-6035-780A-00000000AD01}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038758Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:23.782{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71EC6C571DE2D1402D38372752929443,SHA256=B180455045EFFEB715F78E4315C2EB5CE98E33EE699707989675E7E9988F15CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038757Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:23.451{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038756Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:23.451{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038755Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:23.184{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0891E116F13395EF67EC46E6E9663D39,SHA256=BB7D009340DD11DA059BE61189233EB58AC4426DCEA2C31162B450FC849457DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038761Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:24.791{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36383F1CDE2B3691B0F7D24E5369C2AC,SHA256=EA0542F23558265774B1619C7A02D02134A5859FB2FE658674F4E63B93ED7ED1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038760Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:24.451{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038759Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:24.451{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038766Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:25.795{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82D357B77B60759FFC7E6C6A316E3C0,SHA256=446F15C4B7295836877E3F3B55C6CCF4E46DD358BD5161F0B1CBBB5BC1036EAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038765Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:25.452{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038764Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:25.452{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038763Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:22.765{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52634-false10.0.1.12-8000- 23542300x800000000000000038762Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:25.237{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DDBBFA0CBD6E67F212D3CB632C54E59,SHA256=BD48F17E9E56E6E7DCDA9CBA833C3C49524E4A5B67ECDA7AE237A65CC6659EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038777Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:26.802{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64245A74657BE6E55095DE3946E4E6AF,SHA256=114611D59288AB59907B9D1B6BB5930F54769173067A9992B096ECDE670F77C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038776Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:26.452{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038775Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:26.452{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038774Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:26.171{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038773Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:26.171{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038772Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:26.171{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038771Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:26.171{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038770Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:26.170{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038769Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:26.170{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038768Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:26.170{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038767Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:26.158{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio9008589626099682419.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038780Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:27.805{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D7FA9A499E9CE2C3FBE91192E4B2FB,SHA256=F1265D2EEED86FE5B4A5FDBC6DF2E577451D5DE543537745E883B805BF6A79B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038779Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:27.453{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038778Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:27.453{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038784Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:28.807{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B698E585547656299F0A4F20B56DE843,SHA256=3D31DE803BA9A50B499AB32C3C7F65476AF5D24482475B33739A33760A15A634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038783Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:28.778{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75A639B726A204AE3FBA768329F21360,SHA256=627A7C0497880B034D959694ED66BEA77FDEBEEDBBA691E8A52FD9B4FC993DF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038782Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:28.453{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038781Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:28.453{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038787Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:29.815{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38D8846C68CE871F0F10FC67AE8E8C8,SHA256=12B38BCF7892E2594B4EF45AA157AC48291464572EAE0CBF6235CD3E5B8E3C40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038786Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:29.453{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038785Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:29.453{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038799Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.827{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF05C1357C41563CF19134B1F2B6AFDA,SHA256=68E491089D593D0D1339556CF25976EE81B2FF4E03187FD25CB673D52DDEF247,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038798Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.454{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038797Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.454{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038796Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.444{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038795Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.444{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038794Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.444{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038793Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.441{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038792Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.441{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038791Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.441{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038790Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.440{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038789Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.433{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio14967637003983769431.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038788Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.270{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F39093BBF4F82BD512A90FC858ACDCB6,SHA256=09A30E25EC4407EDF8510425008A515BD79817149968AAC9B157ECE636D0FBE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038803Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:31.832{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDBA5DC3CAD2D5AFA0D58174D73D93F,SHA256=9152A0E336C4DF0A0BBE71EC77A83A77227BACF01266D23E3FE65DF89A5EDC68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038802Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:31.455{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038801Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:31.455{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038800Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:27.914{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52635-false10.0.1.12-8000- 10341000x800000000000000038827Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.869{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4BA8-6035-7A0A-00000000AD01}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038826Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.868{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038825Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.868{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038824Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.867{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038823Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.867{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038822Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.867{64AF4F22-4082-6035-0500-00000000AD01}412480C:\Windows\system32\csrss.exe{64AF4F22-4BA8-6035-7A0A-00000000AD01}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038821Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.867{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4BA8-6035-7A0A-00000000AD01}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038820Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.867{64AF4F22-4BA8-6035-7A0A-00000000AD01}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038819Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.840{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2EE1BA858B696B07EB56D3614C08355,SHA256=15B6330E32DAFCF83C076F208FDAD2058322C551C15C5808E8101EEF9E2E3FBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038818Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.828{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038817Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.828{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038816Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.828{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038815Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.545{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C65905E4C1EE4DE608F5A7811E997747,SHA256=E69F7C826FCAC7C904A09D98886FF63E93F60E39A7753B07BA8249A35CB59A8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038814Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.456{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038813Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.456{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038812Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.317{64AF4F22-4BA8-6035-790A-00000000AD01}66247112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038811Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.189{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4BA8-6035-790A-00000000AD01}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038810Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.188{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038809Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.188{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038808Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.187{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038807Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.187{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038806Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.187{64AF4F22-4082-6035-0500-00000000AD01}412480C:\Windows\system32\csrss.exe{64AF4F22-4BA8-6035-790A-00000000AD01}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038805Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.187{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4BA8-6035-790A-00000000AD01}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038804Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:32.186{64AF4F22-4BA8-6035-790A-00000000AD01}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038851Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.923{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9DBC5A02A0A7A30FA3EEEBC4884BEF,SHA256=6B84E200593B27E662DB7DA603A0B2052693495B353466A507AB757A2ACC9993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038850Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.923{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB9DB91F1CCB8D31881F189953CD1775,SHA256=177C373BE5CE05C9D59F1AF99C4A43EDEBB8BB6FDA35A2617BC65946C5B2CD6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038849Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.827{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038848Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.827{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038847Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.827{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038846Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.826{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038845Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.826{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038844Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.826{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038843Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.825{64AF4F22-4258-6035-4802-00000000AD01}49566048C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038842Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.818{64AF4F22-446F-6035-7F05-00000000AD01}5928ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio12238474654265922567.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038841Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.673{64AF4F22-4BA9-6035-7B0A-00000000AD01}51564136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038840Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.535{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4BA9-6035-7B0A-00000000AD01}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038839Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.534{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038838Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.534{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038837Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.533{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038836Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.533{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038835Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.533{64AF4F22-4082-6035-0500-00000000AD01}412480C:\Windows\system32\csrss.exe{64AF4F22-4BA9-6035-7B0A-00000000AD01}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038834Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.533{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4BA9-6035-7B0A-00000000AD01}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038833Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.533{64AF4F22-4BA9-6035-7B0A-00000000AD01}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000038832Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.456{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038831Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.456{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038830Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.206{64AF4F22-4083-6035-0B00-00000000AD01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-177.attackrange.local52636-true0:0:0:0:0:0:0:1win-dc-177.attackrange.local389ldap 354300x800000000000000038829Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:30.206{64AF4F22-4095-6035-2700-00000000AD01}2896C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-177.attackrange.local52636-true0:0:0:0:0:0:0:1win-dc-177.attackrange.local389ldap 10341000x800000000000000038828Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.000{64AF4F22-4BA8-6035-7A0A-00000000AD01}69564704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038862Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:34.931{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C57DF2C956E2E8689E4B3C2B37EF97,SHA256=D80576E6E08DB74507DDF4B5DA0198FFCA385FE9062D73C7085CE3348B666B2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038861Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:34.456{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038860Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:34.456{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038859Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:34.202{64AF4F22-4104-6035-D301-00000000AD01}43564368C:\Windows\system32\conhost.exe{64AF4F22-4BAA-6035-7C0A-00000000AD01}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038858Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:34.200{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038857Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:34.200{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038856Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:34.199{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038855Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:34.199{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038854Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:34.199{64AF4F22-4082-6035-0500-00000000AD01}412480C:\Windows\system32\csrss.exe{64AF4F22-4BAA-6035-7C0A-00000000AD01}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038853Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:34.199{64AF4F22-4104-6035-CF01-00000000AD01}8564700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{64AF4F22-4BAA-6035-7C0A-00000000AD01}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x800000000000000038852Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:34.199{64AF4F22-4BAA-6035-7C0A-00000000AD01}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{64AF4F22-4083-6035-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000038866Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:35.935{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E74DB6C5FE7C101043A951160F10A53,SHA256=85242ED185AB5C43AA4463FCD9D55BA998F9FBDD9E6787DD60CA4F2CE20BBBE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038865Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:35.457{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038864Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:35.457{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038863Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:35.204{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB7BE696589ED08E42C277B6A7623E4E,SHA256=1318A401A46A0C47654B430760219296B276D33AE3438B9AC94678A5730D9756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038872Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:36.942{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A6D11D7D7E606C9FB983B91A7F8A2F,SHA256=A0F7A352B8CE862883AA29A307E5B104A10AC92693FA1FF05EA4523D41952AD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038871Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:36.755{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038870Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:36.754{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038869Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:36.754{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038868Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:36.458{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038867Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:36.458{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038879Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:37.945{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63743CD61EBB5D5607F6D2A3C9BE2F0,SHA256=0AE2E75F334FCBEE30F07181E0BD74CFFF617BD5A7CC406270ED13936EF1E986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038878Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:37.510{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038877Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:37.509{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038876Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:37.509{64AF4F22-4258-6035-4802-00000000AD01}49562412C:\Windows\Explorer.EXE{64AF4F22-446F-6035-7F05-00000000AD01}5928C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038875Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:33.795{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52637-false10.0.1.12-8000- 10341000x800000000000000038874Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:37.459{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038873Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:37.459{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038882Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:38.951{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD1CB08810197E7FD204B4E94C4C071,SHA256=0D2A06289FAFB07210B2DA38A9D632A4458590B998F816BC91D256EE7C9B1776,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038881Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:38.460{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038880Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:38.460{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038886Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:39.959{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F64398C02DDB711D33D4DE42A4DC9FA,SHA256=018CF64507947C189D36D7B65B7A0DAAF846104F284A915AD5E7DDA81D172EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038885Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:39.778{64AF4F22-4104-6035-CF01-00000000AD01}856NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=383FF891B54042AF48D937003E34CF57,SHA256=987B086468067B1523CD4B7B9BD1DACA3B756BBC54E50911C45E1BF247EAF284,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038884Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:39.461{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038883Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:39.461{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038891Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:40.965{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94744A0FE6EDD28FBB3309DDF65849FC,SHA256=4B9B20169573425B723D36F2CE80B540B5EEEEB313321B6BCEA86FD1705A9591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038890Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:40.767{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7C42672703D3AF338A8747E1732D1A6,SHA256=D10D34E51326E356E8F4EB24F178C2B99E9128E5B6785631C20AE9219350E1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038889Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:40.766{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E90A3E58DF9F435364A5395DF377867,SHA256=55814B389AD534252D06B4D13E05385C6EFC2AC12A8613662AD9B8827FDB2B6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038888Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:40.461{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038887Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:40.461{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038895Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:41.968{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C9BB27CEF1E8625294A0619F47C30F,SHA256=CBC72C3FC5CE703FA46895ECF5FBDE5DBA618C62CD3FE7BFDFA881797513D87E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038894Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:38.434{64AF4F22-4104-6035-CF01-00000000AD01}856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52638-false10.0.1.12-8089- 10341000x800000000000000038893Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:41.462{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038892Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:41.462{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038900Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:42.978{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FE7D8DFC4792B2FC0DAE3BE9F0ACC2,SHA256=9F4B01E300E99BA9618571C2E3C92E13A5330246E0E1470946495F6F126C0CFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038899Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:39.684{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52639-false10.0.1.12-8000- 10341000x800000000000000038898Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:42.463{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038897Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:42.463{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038896Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:42.241{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7C42672703D3AF338A8747E1732D1A6,SHA256=D10D34E51326E356E8F4EB24F178C2B99E9128E5B6785631C20AE9219350E1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038903Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:43.988{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82F2453323DB66D5DA0958E2D0A6216,SHA256=DD847041F3E2CBD4D189EE7E57433F43D9C9E50F8CC65C2E50E520DEA451D509,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038902Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:43.464{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038901Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:43.464{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038906Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:44.993{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC2692E462B3B5274790DAC66F4A308,SHA256=01926760A2E30E862B83E5EA8DA09056B2AC95477DFB29E9B17C3EB08FFA105D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038905Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:44.465{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038904Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:44.465{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038908Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:45.465{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038907Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:45.465{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038930Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.544{64AF4F22-4257-6035-3F02-00000000AD01}45604540C:\Windows\System32\RuntimeBroker.exe{64AF4F22-4085-6035-1600-00000000AD01}1320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+4239b|C:\Windows\System32\combase.dll+437f2|C:\Windows\System32\combase.dll+68b43|C:\Windows\System32\combase.dll+439fd|C:\Windows\System32\combase.dll+66f1c|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e 10341000x800000000000000038929Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.544{64AF4F22-4257-6035-3F02-00000000AD01}45604540C:\Windows\System32\RuntimeBroker.exe{64AF4F22-4085-6035-1600-00000000AD01}1320C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+670db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+280f|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+6a22c|C:\Windows\System32\combase.dll+69ee2|C:\Windows\System32\combase.dll+4239b|C:\Windows\System32\combase.dll+437f2|C:\Windows\System32\combase.dll+68b43|C:\Windows\System32\combase.dll+439fd|C:\Windows\System32\combase.dll+66f1c|C:\Windows\System32\combase.dll+65c5f|C:\Windows\System32\combase.dll+81439|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d 10341000x800000000000000038928Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.513{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4BB6-6035-7F0A-00000000AD01}5152C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038927Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.503{64AF4F22-4082-6035-0500-00000000AD01}412428C:\Windows\system32\csrss.exe{64AF4F22-4BB6-6035-7F0A-00000000AD01}5152C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038926Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.503{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4BB6-6035-7F0A-00000000AD01}5152C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038925Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.465{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038924Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.465{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038923Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.459{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038922Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.459{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038921Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.459{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038920Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.459{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038919Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.457{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038918Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.457{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038917Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.456{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038916Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.456{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4095-6035-2D00-00000000AD01}3064C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038915Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.456{64AF4F22-4082-6035-0500-00000000AD01}412528C:\Windows\system32\csrss.exe{64AF4F22-4BB6-6035-7D0A-00000000AD01}6424C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x800000000000000038914Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.456{64AF4F22-4085-6035-1600-00000000AD01}13202028C:\Windows\system32\svchost.exe{64AF4F22-4BB6-6035-7D0A-00000000AD01}6424C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65bf5|C:\Windows\SYSTEM32\ntdll.dll+658fd|C:\Windows\SYSTEM32\ntdll.dll+65760|C:\Windows\SYSTEM32\ntdll.dll+3a890|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038913Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.454{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4085-6035-1600-00000000AD01}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038912Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.454{64AF4F22-4084-6035-0C00-00000000AD01}8445728C:\Windows\system32\svchost.exe{64AF4F22-4085-6035-1600-00000000AD01}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038911Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.454{64AF4F22-4084-6035-0C00-00000000AD01}8445728C:\Windows\system32\svchost.exe{64AF4F22-4085-6035-1600-00000000AD01}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038910Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.454{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4085-6035-1600-00000000AD01}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038909Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:46.002{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA18F76A24A1E49B838D1AB5189DB6D,SHA256=BAA9E9C59EAD24A4CF9C22B7DDC3310DD937F51C7C9E65B5EA2CCA0492385CBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038935Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:47.466{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038934Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:47.466{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038933Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:47.443{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A219D25B55672C586AE1E6F17149BC5,SHA256=A2A0EB6CE9E6AE26F27BD55785FE044E563E6E311CBF7F75784D098CF20814F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038932Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:47.442{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3216A0905A5260038BE0F74FF6D81907,SHA256=B0D1C0524F677FB6D728F6B45727516A9A0BB702C3E8829061243C25D05B46C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038931Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:47.009{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6A9479D690FC5903DC7EF181233842,SHA256=B4BFDF83D411839E0CE42707A5F911773C994E652915BEA38F145A9847F056CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038942Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:48.947{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4085-6035-1500-00000000AD01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038941Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:48.947{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4085-6035-1500-00000000AD01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038940Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:48.947{64AF4F22-4084-6035-0C00-00000000AD01}844300C:\Windows\system32\svchost.exe{64AF4F22-4085-6035-1500-00000000AD01}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x800000000000000038939Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:44.824{64AF4F22-410B-6035-FD01-00000000AD01}4916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-177.attackrange.local52640-false10.0.1.12-8000- 10341000x800000000000000038938Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:48.467{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038937Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:48.467{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x800000000000000038936Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:48.013{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0E7D361DA202FBC7C6C0998F9FA512,SHA256=24BF423DC2743D6978E0DDDBBEC4643AB1C689046CA262305662854BFB2A9844,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038946Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:49.468{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4262-6035-5702-00000000AD01}5364C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038945Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:49.468{64AF4F22-4084-6035-0C00-00000000AD01}844968C:\Windows\system32\svchost.exe{64AF4F22-4261-6035-5602-00000000AD01}5264C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x800000000000000038944Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:49.217{64AF4F22-4083-6035-0B00-00000000AD01}6285640C:\Windows\system32\lsass.exe{64AF4F22-4081-6035-0100-00000000AD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000038943Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:49.019{64AF4F22-4111-6035-0602-00000000AD01}3712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC0E2706A3AF4E1CB24E4CBB1EA2E12,SHA256=601537F8505E7DDA559C0CB1E220E8DA81B5C05433A3BEA1BC7310E471AEBA91,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000038961Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-SetValue2021-02-23 18:38:50.609{64AF4F22-4085-6035-1100-00000000AD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d70a13-0x2110506c) 354300x800000000000000038960Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:47.886{64AF4F22-4081-6035-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local52645-truefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local445microsoft-ds 354300x800000000000000038959Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:47.886{64AF4F22-4081-6035-0100-00000000AD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local52645-truefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local445microsoft-ds 354300x800000000000000038958Microsoft-Windows-Sysmon/Operationalwin-dc-177.attackrange.local-2021-02-23 18:38:47.884{64AF4F22-4083-6035-0B00-00000000AD01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local52644-truefe80:0:0:0:50a:755c:eba6:e0fbwin-dc-177.attackrange.local49669